CVE-2023-29049

The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. User input for this widget is now sanitized to avoid malicious content the be processed. No publicly available exploits are known.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
OXCNA
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
VendorProductVersion
open-xchangeox_app_suite
𝑥
< 7.10.6
open-xchangeox_app_suite
7.10.6
open-xchangeox_app_suite
7.10.6:rev01
open-xchangeox_app_suite
7.10.6:rev02
open-xchangeox_app_suite
7.10.6:rev03
open-xchangeox_app_suite
7.10.6:rev04
open-xchangeox_app_suite
7.10.6:rev05
open-xchangeox_app_suite
7.10.6:rev06
open-xchangeox_app_suite
7.10.6:rev07
open-xchangeox_app_suite
7.10.6:rev08
open-xchangeox_app_suite
7.10.6:rev09
open-xchangeox_app_suite
7.10.6:rev10
open-xchangeox_app_suite
7.10.6:rev11
open-xchangeox_app_suite
7.10.6:rev12
open-xchangeox_app_suite
7.10.6:rev13
open-xchangeox_app_suite
7.10.6:rev14
open-xchangeox_app_suite
7.10.6:rev15
open-xchangeox_app_suite
7.10.6:rev16
open-xchangeox_app_suite
7.10.6:rev17
open-xchangeox_app_suite
7.10.6:rev18
open-xchangeox_app_suite
7.10.6:rev19
open-xchangeox_app_suite
7.10.6:rev20
open-xchangeox_app_suite
7.10.6:rev21
open-xchangeox_app_suite
7.10.6:rev22
open-xchangeox_app_suite
7.10.6:rev23
open-xchangeox_app_suite
7.10.6:rev24
open-xchangeox_app_suite
7.10.6:rev25
open-xchangeox_app_suite
7.10.6:rev26
open-xchangeox_app_suite
7.10.6:rev27
open-xchangeox_app_suite
7.10.6:rev28
open-xchangeox_app_suite
7.10.6:rev29
open-xchangeox_app_suite
7.10.6:rev30
open-xchangeox_app_suite
7.10.6:rev31
open-xchangeox_app_suite
7.10.6:rev32
open-xchangeox_app_suite
7.10.6:rev33
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html
http://seclists.org/fulldisclosure/2024/Jan/3
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf
http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html
http://seclists.org/fulldisclosure/2024/Jan/3
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf