CVE-2023-29044

MEDIUM

Documents - Code Injection

Title source: llm

Description

Documents operations could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating parties does now get escaped to avoid code execution. No publicly available exploits are known.

References (2)

[Release Notes, Vendor Advisory] https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf

[Vendor Advisory] https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0004.json

Scores

CVSS v3 5.4

EPSS 0.0016

EPSS Percentile 36.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (43)

open-xchange/open-xchange_appsuite < 7.10.6

open-xchange/open-xchange_appsuite

... and 28 more

Timeline

Published Nov 02, 2023

Tracked Since Feb 18, 2026