CVE-2023-26449
MEDIUMopen-xchange_appsuite_frontend < 7.10.6 - Cross-Site Scripting via OX Chat Response Media-Type
Title source: llmDescription
The "OX Chat" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We are now defining the accepted media-type to avoid code execution. No publicly available exploits are known.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html
Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2023/Aug/8
Release Notes release-notes
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf
Vendor Advisory vendor-advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json
Scores
CVSS v3
5.4
EPSS
0.0019
EPSS Percentile
40.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
open-xchange/open-xchange_appsuite_frontend
< 7.10.6
Published
Aug 02, 2023
Tracked Since
Feb 18, 2026