Skip to main content

Ox App Suite CVE-2023-29048

HIGH
OS Command Injection (CWE-78)
2024-01-08 security@open-xchange.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 19:34 vuln.today
CVE Published
Jan 08, 2024 - 09:15 nvd
HIGH 8.8

DescriptionCVE.org

A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. The template engine has been reconfigured to deny execution of harmful commands on a system level. No publicly available exploits are known.

AnalysisAI

A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. The template engine has been reconfigured to deny execution of harmful commands on a system level. No publicly available exploits are known. Affected products include: Open-Xchange Ox App Suite.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.

CVE-2022-24405 CRITICAL POC
9.8 Jul 27

OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API. Rated

CVE-2022-23100 CRITICAL POC
9.8 Jul 27

OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment). Rated

CVE-2022-24406 MEDIUM POC
6.5 Jul 27

OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to inj

CVE-2021-33491 MEDIUM POC
6.5 Nov 22

OX App Suite through 7.10.5 allows Directory Traversal via ../ in an OOXML or ODF ZIP archive, because of the mishandlin

CVE-2022-23101 MEDIUM POC
6.1 Jul 27

OX App Suite through 7.10.6 allows XSS via appHandler in a deep link in an e-mail message. Rated medium severity (CVSS 6

CVE-2021-38377 MEDIUM POC
6.1 Nov 22

OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because th

CVE-2021-38375 MEDIUM POC
6.1 Nov 22

OX App Suite through 7.10.5 allows XSS via the alt attribute of an IMG element in a truncated e-mail message. Rated medi

CVE-2021-33495 MEDIUM POC
6.1 Nov 22

OX App Suite 7.10.5 allows XSS via an OX Chat system message. Rated medium severity (CVSS 6.1), this vulnerability is re

CVE-2021-33494 MEDIUM POC
6.1 Nov 22

OX App Suite 7.10.5 allows XSS via an OX Chat room title during typing rendering. Rated medium severity (CVSS 6.1), this

CVE-2021-33492 MEDIUM POC
6.1 Nov 22

OX App Suite 7.10.5 allows XSS via an OX Chat room name. Rated medium severity (CVSS 6.1), this vulnerability is remotel

CVE-2021-33490 MEDIUM POC
6.1 Nov 22

OX App Suite through 7.10.5 allows XSS via a crafted snippet in a shared mail signature. Rated medium severity (CVSS 6.1

CVE-2021-33489 MEDIUM POC
6.1 Nov 22

OX App Suite through 7.10.5 allows XSS via JavaScript code in a shared XCF file. Rated medium severity (CVSS 6.1), this

Share

CVE-2023-29048 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy