CVE-2023-29048

HIGH

OXMF Template Engine - Command Injection

Title source: llm

Description

A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. The template engine has been reconfigured to deny execution of harmful commands on a system level. No publicly available exploits are known.

References (4)

[Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2024/Jan/3

[Issue Tracking] https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json

[Release Notes] https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf

Scores

CVSS v3 8.8

EPSS 0.0038

EPSS Percentile 58.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-78

Status published

Affected Products (40)

open-xchange/ox_app_suite < 7.10.6

open-xchange/ox_app_suite

open-xchange/ox_app_suite

open-xchange/ox_app_suite

open-xchange/ox_app_suite

open-xchange/ox_app_suite

open-xchange/ox_app_suite

open-xchange/ox_app_suite

open-xchange/ox_app_suite

open-xchange/ox_app_suite

open-xchange/ox_app_suite

open-xchange/ox_app_suite

open-xchange/ox_app_suite

open-xchange/ox_app_suite

open-xchange/ox_app_suite

... and 25 more

Timeline

Published Jan 08, 2024

Tracked Since Feb 18, 2026