CVE-2023-26455
MEDIUMOpen-Xchange App Suite ChronosRMIService - Unauthenticated Calendar Modification
Title source: manualDescription
RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default. The interface has been updated to require authenticated requests. No publicly available exploits are known.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory release-notes
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf
Vendor Advisory vendor-advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0004.json
Scores
CVSS v3
5.6
EPSS
0.0003
EPSS Percentile
8.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L
Details
CWE
CWE-287
Status
published
Products (2)
open-xchange/open-xchange_appsuite
7.10.6 (42 CPE variants)
open-xchange/open-xchange_appsuite
< 7.10.6
Published
Nov 02, 2023
Tracked Since
Feb 18, 2026