Open Xchange Appsuite Frontend
CVE-2023-26450
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The "OX Count" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We are now defining the accepted media-type to avoid code execution. No publicly available exploits are known.
AnalysisAI
The "OX Count" web service did not specify a media-type when processing responses by external resources. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The "OX Count" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We are now defining the accepted media-type to avoid code execution. No publicly available exploits are known. Affected products include: Open-Xchange Open-Xchange Appsuite Frontend.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Th
Cross-site scripting (XSS) vulnerability in Open-Xchange (OX) AppSuite backend before 7.6.2-rev59, 7.8.0 before 7.8.0-re
The "OX Chat" web service did not specify a media-type when processing responses by external resources. Rated medium sev
Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handler
The "upsell" widget for the portal allows to specify a product description. Rated medium severity (CVSS 5.4), this vulne
The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Rated medium sever
Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets proce
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today