CVE-2023-29052

MEDIUM

Shopify - XSS

Title source: llm

Description

Users were able to define disclaimer texts for an upsell shop dialog that would contain script code that was not sanitized correctly. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added sanitization for this content. No publicly available exploits are known.

References (3)

[Issue Tracking] https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0006.json

[Release Notes] https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6251_7.10.6_2023-09-25.pdf

[Mailing List] http://seclists.org/fulldisclosure/2024/Jan/4

Scores

CVSS v3 5.4

EPSS 0.0019

EPSS Percentile 40.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (35)

open-xchange/ox_app_suite

... and 20 more

Timeline

Published Jan 08, 2024

Tracked Since Feb 18, 2026