cvelistv5 - cve-2023-24601

CVE-2023-24601 (GCVE-0-2023-24601)

Vulnerability from cvelistv5

Published

2023-05-29 00:00

Modified

2025-01-14 15:08

Severity ?

CWE

Summary

OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree.

References

►

URL

	Vendor	Product	Version
	n/a	n/a	Version: n/a

oxas-adv-2023-0001

Vulnerability from csaf_ox

Published

2023-02-06 00:00

Modified

2024-01-22 00:00

Summary

OX App Suite Security Advisory OXAS-ADV-2023-0001

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "HIGH"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "lang": "en-US",
    "publisher": {
      "category": "vendor",
      "name": "Open-Xchange GmbH",
      "namespace": "https://open-xchange.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Release Notes",
        "url": "http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6209_7.10.6_2023-02-06.pdf"
      },
      {
        "category": "self",
        "summary": "Canonical CSAF document",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0001.json"
      },
      {
        "category": "self",
        "summary": "Markdown representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/md/2023/oxas-adv-2023-0001.md"
      },
      {
        "category": "self",
        "summary": "HTML representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/html/2023/oxas-adv-2023-0001.html"
      },
      {
        "category": "self",
        "summary": "Plain-text representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/txt/2023/oxas-adv-2023-0001.txt"
      }
    ],
    "title": "OX App Suite Security Advisory OXAS-ADV-2023-0001",
    "tracking": {
      "current_release_date": "2024-01-22T00:00:00+00:00",
      "generator": {
        "date": "2024-01-22T13:14:13+00:00",
        "engine": {
          "name": "OX CSAF",
          "version": "1.0.0"
        }
      },
      "id": "OXAS-ADV-2023-0001",
      "initial_release_date": "2023-02-06T00:00:00+01:00",
      "revision_history": [
        {
          "date": "2023-02-06T00:00:00+01:00",
          "number": "1",
          "summary": "Initial release"
        },
        {
          "date": "2024-01-22T00:00:00+00:00",
          "number": "2",
          "summary": "Public release"
        },
        {
          "date": "2024-01-22T00:00:00+00:00",
          "number": "3",
          "summary": "Public release"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.10.6-rev36",
                "product": {
                  "name": "OX App Suite backend 7.10.6-rev36",
                  "product_id": "OXAS-BACKEND_7.10.6-rev36",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev36:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.8",
                "product": {
                  "name": "OX App Suite backend 8.8",
                  "product_id": "OXAS-BACKEND_8.8",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.8:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev37",
                "product": {
                  "name": "OX App Suite backend 7.10.6-rev37",
                  "product_id": "OXAS-BACKEND_7.10.6-rev37",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev37:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6209"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.9",
                "product": {
                  "name": "OX App Suite backend 8.9",
                  "product_id": "OXAS-BACKEND_8.9",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.9:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.10",
                "product": {
                  "name": "OX App Suite backend 8.10",
                  "product_id": "OXAS-BACKEND_8.10",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.10:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.6.3-rev66",
                "product": {
                  "name": "OX App Suite backend 7.6.3-rev66",
                  "product_id": "OXAS-BACKEND_7.6.3-rev66",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev66:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.6.3-rev67",
                "product": {
                  "name": "OX App Suite backend 7.6.3-rev67",
                  "product_id": "OXAS-BACKEND_7.6.3-rev67",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev67:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6209"
                      }
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OX App Suite backend"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.10.6-rev23",
                "product": {
                  "name": "OX App Suite frontend 7.10.6-rev23",
                  "product_id": "OXAS-FRONTEND_7.10.6-rev23",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev23:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.6.3-rev51",
                "product": {
                  "name": "OX App Suite frontend 7.6.3-rev51",
                  "product_id": "OXAS-FRONTEND_7.6.3-rev51",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev51:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.8",
                "product": {
                  "name": "OX App Suite frontend 8.8",
                  "product_id": "OXAS-FRONTEND_8.8",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.8:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev24",
                "product": {
                  "name": "OX App Suite frontend 7.10.6-rev24",
                  "product_id": "OXAS-FRONTEND_7.10.6-rev24",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev24:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6209"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.6.3-rev52",
                "product": {
                  "name": "OX App Suite frontend 7.6.3-rev52",
                  "product_id": "OXAS-FRONTEND_7.6.3-rev52",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev52:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6209"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.9",
                "product": {
                  "name": "OX App Suite frontend 8.9",
                  "product_id": "OXAS-FRONTEND_8.9",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.9:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "pre8.0",
                "product": {
                  "name": "OX App Suite frontend pre8.0",
                  "product_id": "OXAS-FRONTEND_pre8.0",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:pre8.0:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.0",
                "product": {
                  "name": "OX App Suite frontend 8.0",
                  "product_id": "OXAS-FRONTEND_8.0",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.0:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.6",
                "product": {
                  "name": "OX App Suite frontend 8.6",
                  "product_id": "OXAS-FRONTEND_8.6",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.6:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.7",
                "product": {
                  "name": "OX App Suite frontend 8.7",
                  "product_id": "OXAS-FRONTEND_8.7",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.7:*:*:*:*:*:*:*"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OX App Suite frontend"
          }
        ],
        "category": "vendor",
        "name": "Open-Xchange GmbH"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-24599",
      "cwe": {
        "id": "CWE-639",
        "name": "Authorization Bypass Through User-Controlled Key"
      },
      "discovery_date": "2023-01-02T16:30:53+01:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-1978"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Appointments of other users could be changed without the appropriate autorization by sending conflicting object IDs within the same request."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.6-rev37",
          "OXAS-BACKEND_8.9"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.6-rev36",
          "OXAS-BACKEND_8.8"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-01-27T16:43:23+01:00",
          "details": "Please deploy the provided updates and patch releases. We improved permission checks when updating appointments to restrict access.",
          "product_ids": [
            "OXAS-BACKEND_7.10.6-rev36",
            "OXAS-BACKEND_8.8"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.6-rev36",
            "OXAS-BACKEND_8.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Attackers within the same context can modify fragments of appointment information from folders without read access, including other users personal calendar folders."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Users can change arbitrary appointments by ID confusion"
    },
    {
      "cve": "CVE-2023-24603",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-01-03T14:06:48+01:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-1981"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "HTTP client requests initiated by App Suite middleware were not stopping downloads for resources that exceed size limits."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.6-rev37",
          "OXAS-BACKEND_8.10"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.6-rev36",
          "OXAS-BACKEND_8.9"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-01-31T09:45:34+01:00",
          "details": "Please deploy the provided updates and patch releases. We improved the limitation for content length and immediately stop downloading if a threshold is hit.",
          "product_ids": [
            "OXAS-BACKEND_7.10.6-rev36",
            "OXAS-BACKEND_8.9"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.6-rev36",
            "OXAS-BACKEND_8.9"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of HTTP headers, the system could temporarily lock up processing those headers."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Size limits for external content are not considered for data transfer"
    },
    {
      "cve": "CVE-2023-24604",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-01-03T14:43:16+01:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-1983"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "HTTP client requests initiated by App Suite middleware were not validating the lenght of HTTP headers."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.6-rev37",
          "OXAS-BACKEND_8.10"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.6-rev36",
          "OXAS-BACKEND_8.9"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-01-30T12:59:36+01:00",
          "details": "Please deploy the provided updates and patch releases. We introduced a limitation for HTTP header length and reject processing if a threshold is hit.",
          "product_ids": [
            "OXAS-BACKEND_7.10.6-rev36",
            "OXAS-BACKEND_8.9"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.6-rev36",
            "OXAS-BACKEND_8.9"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of HTTP headers, the system could temporarily lock up processing those headers."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Header length does not get limited for external content"
    },
    {
      "cve": "CVE-2023-24598",
      "cwe": {
        "id": "CWE-639",
        "name": "Authorization Bypass Through User-Controlled Key"
      },
      "discovery_date": "2023-01-09T13:12:51+01:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-1995"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Editing distribution lists allows to add contacts from foreign accounts, where the attacker has no read access."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.6-rev37",
          "OXAS-BACKEND_7.6.3-rev67",
          "OXAS-BACKEND_8.9"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.6-rev36",
          "OXAS-BACKEND_7.6.3-rev66",
          "OXAS-BACKEND_8.8"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-01-27T15:51:43+01:00",
          "details": "Please deploy the provided updates and patch releases. We improved permission checks when editing distribution lists to restrict access.",
          "product_ids": [
            "OXAS-BACKEND_7.10.6-rev36",
            "OXAS-BACKEND_7.6.3-rev66",
            "OXAS-BACKEND_8.8"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.6-rev36",
            "OXAS-BACKEND_7.6.3-rev66",
            "OXAS-BACKEND_8.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Attackers within the same context can discover fragments of contact information from folders without read access, including other users personal contact folders."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Distribution lists allow discovering private contacts of other users"
    },
    {
      "cve": "CVE-2023-24605",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "discovery_date": "2023-01-10T09:29:23+01:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-1997"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "When using the built-in multi-factor authentication, access to a number of API endpoints was possible prior to successful authentication using the second factor."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.6-rev37"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.6-rev36"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-10T15:03:35+01:00",
          "details": "Please deploy the provided updates and patch releases. We added permission checks to make sure all kind of API paths are restricted prior to being fully authenticated.",
          "product_ids": [
            "OXAS-BACKEND_7.10.6-rev36"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.6-rev36"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Attackers with access to victims credentials were able to perfom limited read operations on contacts and drive as well as modifying names of the multi-factor tokens."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "API access not fully restricted when requiring 2FA"
    },
    {
      "cve": "CVE-2023-24600",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "discovery_date": "2023-01-10T15:58:54+01:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-1998"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Folder ACL combinations like \"read own, delete all\" were incorrectly applied and allowed that users could move objects which they were not expected to read."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.6-rev37",
          "OXAS-BACKEND_7.6.3-rev67",
          "OXAS-BACKEND_8.9"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.6-rev36",
          "OXAS-BACKEND_7.6.3-rev66",
          "OXAS-BACKEND_8.8"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-01-27T15:21:48+01:00",
          "details": "Please deploy the provided updates and patch releases. Permission checks have been updated and include checking for read permissions when performing move operations.",
          "product_ids": [
            "OXAS-BACKEND_7.10.6-rev36",
            "OXAS-BACKEND_7.6.3-rev66",
            "OXAS-BACKEND_8.8"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.6-rev36",
            "OXAS-BACKEND_7.6.3-rev66",
            "OXAS-BACKEND_8.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moving objects to folders with read access effectively bypassed the \"read own\" restriction."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "\"Read own/delete all\" permissions allows moving other users contacts to own address book"
    },
    {
      "cve": "CVE-2023-24597",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2023-01-03T12:26:53+01:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "OXUIB-2130"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "When E-Mail is flagged as Spam or if a user has enabled the feature as a default, remote content in E-Mail is not requested automatically to improve users privacy. However when printing a E-Mail, external content was loaded automatically without user consent."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-FRONTEND_7.10.6-rev24",
          "OXAS-FRONTEND_7.6.3-rev52",
          "OXAS-FRONTEND_8.9"
        ],
        "last_affected": [
          "OXAS-FRONTEND_7.10.6-rev23",
          "OXAS-FRONTEND_7.6.3-rev51",
          "OXAS-FRONTEND_8.8"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-01-26T14:40:23+01:00",
          "details": "Please deploy the provided updates and patch releases. We now apply the same setting for loading external content when generating the E-Mail print content.",
          "product_ids": [
            "OXAS-FRONTEND_7.10.6-rev23",
            "OXAS-FRONTEND_7.6.3-rev51",
            "OXAS-FRONTEND_8.8"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-FRONTEND_7.10.6-rev23",
            "OXAS-FRONTEND_7.6.3-rev51",
            "OXAS-FRONTEND_8.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Malicious remote content in E-Mail, like tracking pixels, could be used to analyze user behaviour."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Remote resources are loaded in print view"
    },
    {
      "cve": "CVE-2023-24601",
      "cwe": {
        "id": "CWE-80",
        "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
      },
      "discovery_date": "2022-11-02T16:20:38+01:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "OXUIB-2034"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The \"registry\" sub-tree of the jslob API is used to define which application modules and dependencies shall be loaded. Users were able to inject arbitrary references, including malicious code."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-FRONTEND_7.10.6-rev24",
          "OXAS-FRONTEND_7.6.3-rev52",
          "OXAS-FRONTEND_8.0"
        ],
        "last_affected": [
          "OXAS-FRONTEND_7.10.6-rev23",
          "OXAS-FRONTEND_7.6.3-rev51",
          "OXAS-FRONTEND_pre8.0"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-01-30T12:39:16+01:00",
          "details": "Please deploy the provided updates and patch releases. We made the relevant jslob path read-only for users.",
          "product_ids": [
            "OXAS-FRONTEND_7.10.6-rev23",
            "OXAS-FRONTEND_7.6.3-rev51",
            "OXAS-FRONTEND_pre8.0"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-FRONTEND_7.10.6-rev23",
            "OXAS-FRONTEND_7.6.3-rev51",
            "OXAS-FRONTEND_pre8.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "XSS with non-app deeplinks like \"registry\""
    },
    {
      "cve": "CVE-2023-24602",
      "cwe": {
        "id": "CWE-80",
        "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
      },
      "discovery_date": "2022-11-02T16:13:12+01:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "OXUIB-2033"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "External content, like post titles, have been evaluated as HTML when adding Tumblr feeds to the portal page."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-FRONTEND_7.10.6-rev24",
          "OXAS-FRONTEND_8.7"
        ],
        "last_affected": [
          "OXAS-FRONTEND_7.10.6-rev23",
          "OXAS-FRONTEND_8.6"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-10T15:03:55+01:00",
          "details": "Please deploy the provided updates and patch releases. We now insert untrusted external content as plain-text.",
          "product_ids": [
            "OXAS-FRONTEND_7.10.6-rev23",
            "OXAS-FRONTEND_8.6"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-FRONTEND_7.10.6-rev23",
            "OXAS-FRONTEND_8.6"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account, compromise a Tumblr feed or make the victim include a malicious feed."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "XSS at Tumblr portal widget due to missing content sanitization"
    }
  ]
}

ghsa-cqj2-j35m-r4vg

Vulnerability from github

Published

2023-05-29 03:30

Modified

2024-04-04 04:22

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-24601"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-29T03:15:09Z",
    "severity": "MODERATE"
  },
  "details": "OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API\u0027s registry sub-tree.",
  "id": "GHSA-cqj2-j35m-r4vg",
  "modified": "2024-04-04T04:22:29Z",
  "published": "2023-05-29T03:30:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24601"
    },
    {
      "type": "WEB",
      "url": "https://open-xchange.com"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/May/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

gsd-2023-24601

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree.

Aliases

CVE-2023-24601

Aliases

CVE-2023-24601

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-24601",
    "id": "GSD-2023-24601"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-24601"
      ],
      "details": "OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API\u0027s registry sub-tree.",
      "id": "GSD-2023-24601",
      "modified": "2023-12-13T01:20:57.573500Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2023-24601",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API\u0027s registry sub-tree."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://open-xchange.com",
            "refsource": "MISC",
            "url": "https://open-xchange.com"
          },
          {
            "name": "http://seclists.org/fulldisclosure/2023/May/3",
            "refsource": "MISC",
            "url": "http://seclists.org/fulldisclosure/2023/May/3"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev01:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev02:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev03:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev04:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev05:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev06:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev07:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev08:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev09:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev10:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev11:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev12:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev13:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev14:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev15:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev16:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev17:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev18:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev19:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev20:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev21:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev22:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev23:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.10.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2023-24601"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API\u0027s registry sub-tree."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://open-xchange.com",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://open-xchange.com"
            },
            {
              "name": "http://seclists.org/fulldisclosure/2023/May/3",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2023/May/3"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2023-06-01T19:40Z",
      "publishedDate": "2023-05-29T03:15Z"
    }
  }
}

fkie_cve-2023-24601

Vulnerability from fkie_nvd

Published

2023-05-29 03:15

Modified

2024-11-21 07:48

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API's registry sub-tree.

References

URL	Tags
cve@mitre.org	http://seclists.org/fulldisclosure/2023/May/3	Mailing List, Third Party Advisory
cve@mitre.org	https://open-xchange.com	Product
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2023/May/3	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://open-xchange.com	Product

Impacted products

Vendor	Product	Version
open-xchange	ox_app_suite	*
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5BBF1862-B6FF-4F32-A3C1-59D28BA25F81",
              "versionEndExcluding": "7.10.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:-:*:*:*:*:*:*",
              "matchCriteriaId": "3A4EAD2E-C3C3-4C79-8C42-375FFE638486",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev01:*:*:*:*:*:*",
              "matchCriteriaId": "39198733-D227-4935-9A60-1026040D262F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev02:*:*:*:*:*:*",
              "matchCriteriaId": "3C86EE81-8CD4-4131-969A-BDA24B9B48E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev03:*:*:*:*:*:*",
              "matchCriteriaId": "F9E9C869-7DA9-4EFA-B613-82BA127F6CE5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev04:*:*:*:*:*:*",
              "matchCriteriaId": "F8FAA329-5893-412B-8349-4DA3023CC76E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev05:*:*:*:*:*:*",
              "matchCriteriaId": "BB6A57A4-B18D-498D-9A8C-406797A6255C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev06:*:*:*:*:*:*",
              "matchCriteriaId": "7F0977F0-90B4-48B4-BED6-C218B5CA5E03",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev07:*:*:*:*:*:*",
              "matchCriteriaId": "4D55DE67-8F93-48F3-BE54-D3A065479281",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev08:*:*:*:*:*:*",
              "matchCriteriaId": "D27980B4-B71B-4DA8-B130-F0B5929F8E65",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev09:*:*:*:*:*:*",
              "matchCriteriaId": "DD1709BC-7DEB-4508-B3C3-B20F5FD001A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev10:*:*:*:*:*:*",
              "matchCriteriaId": "08A6BDD5-259E-4DC3-A548-00CD0D459749",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev11:*:*:*:*:*:*",
              "matchCriteriaId": "B8166FF4-77D8-4A12-92E5-615B3DA2E602",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev12:*:*:*:*:*:*",
              "matchCriteriaId": "999F057B-7918-461A-B60C-3BE72E92CDC9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev13:*:*:*:*:*:*",
              "matchCriteriaId": "88FD1550-3715-493E-B674-9ECF3DD7A813",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev14:*:*:*:*:*:*",
              "matchCriteriaId": "F31A4949-397F-4D1B-8AEA-AC7B335722F8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev15:*:*:*:*:*:*",
              "matchCriteriaId": "D33A91D4-CE21-486D-9469-B09060B8C637",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev16:*:*:*:*:*:*",
              "matchCriteriaId": "5E3E5CD2-7631-4DBE-AB4D-669E82BCCAD4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev17:*:*:*:*:*:*",
              "matchCriteriaId": "2BEE0AF0-3D22-4DE7-9E71-A4469D9CA2EB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev18:*:*:*:*:*:*",
              "matchCriteriaId": "AAFB199C-1D66-442D-AD7E-414DD339E1D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev19:*:*:*:*:*:*",
              "matchCriteriaId": "26322561-2491-4DC7-B974-0B92B61A5BDA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev20:*:*:*:*:*:*",
              "matchCriteriaId": "A6BA6C2B-F2D5-4FF7-B316-C8E99C2B464B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev21:*:*:*:*:*:*",
              "matchCriteriaId": "733E4A65-821B-4187-AA3A-1ACD3E882C07",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev22:*:*:*:*:*:*",
              "matchCriteriaId": "6B0A0043-33E8-4440-92AC-DDD70EA39535",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev23:*:*:*:*:*:*",
              "matchCriteriaId": "303205CC-8BDE-47EE-A675-9BA19983139A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OX App Suite before frontend 7.10.6-rev24 allows XSS via a non-app deeplink such as the jslob API\u0027s registry sub-tree."
    }
  ],
  "id": "CVE-2023-24601",
  "lastModified": "2024-11-21T07:48:13.027",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-05-29T03:15:09.663",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2023/May/3"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://open-xchange.com"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2023/May/3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://open-xchange.com"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-24601 (GCVE-0-2023-24601)

Vulnerability from cvelistv5

oxas-adv-2023-0001

Vulnerability from csaf_ox

ghsa-cqj2-j35m-r4vg

Vulnerability from github

gsd-2023-24601

Vulnerability from gsd

fkie_cve-2023-24601

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature