Skip to main content

Ox App Suite CVE-2024-23193

MEDIUM
Information Exposure (CWE-200)
2024-05-06 security@open-xchange.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
May 06, 2024 - 07:15 nvd
MEDIUM 5.3

DescriptionNVD

E-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of the same service node could access other users E-Mails in case they were exported as PDF for a brief moment until caches were cleared. Successful exploitation requires good timing and modification of multiple request parameters. Please deploy the provided updates and patch releases. The cache for PDF exports now takes user session information into consideration when performing authorization decisions. No publicly available exploits are known.

AnalysisAI

E-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. E-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of the same service node could access other users E-Mails in case they were exported as PDF for a brief moment until caches were cleared. Successful exploitation requires good timing and modification of multiple request parameters. Please deploy the provided updates and patch releases. The cache for PDF exports now takes user session information into consideration when performing authorization decisions. No publicly available exploits are known. Affected products include: Open-Xchange Ox App Suite.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

CVE-2022-24405 CRITICAL POC
9.8 Jul 27

OX App Suite through 7.10.6 allows OS Command Injection via a serialized Java class to the Documentconverter API. Rated

CVE-2022-23100 CRITICAL POC
9.8 Jul 27

OX App Suite through 7.10.6 allows OS Command Injection via Documentconverter (e.g., through an email attachment). Rated

CVE-2022-24406 MEDIUM POC
6.5 Jul 27

OX App Suite through 7.10.6 allows SSRF because multipart/form-data boundaries are predictable, and this can lead to inj

CVE-2021-33491 MEDIUM POC
6.5 Nov 22

OX App Suite through 7.10.5 allows Directory Traversal via ../ in an OOXML or ODF ZIP archive, because of the mishandlin

CVE-2022-23101 MEDIUM POC
6.1 Jul 27

OX App Suite through 7.10.6 allows XSS via appHandler in a deep link in an e-mail message. Rated medium severity (CVSS 6

CVE-2021-38377 MEDIUM POC
6.1 Nov 22

OX App Suite through 7.10.5 allows XSS via JavaScript code in an anchor HTML comment within truncated e-mail, because th

CVE-2021-38375 MEDIUM POC
6.1 Nov 22

OX App Suite through 7.10.5 allows XSS via the alt attribute of an IMG element in a truncated e-mail message. Rated medi

CVE-2021-33495 MEDIUM POC
6.1 Nov 22

OX App Suite 7.10.5 allows XSS via an OX Chat system message. Rated medium severity (CVSS 6.1), this vulnerability is re

CVE-2021-33494 MEDIUM POC
6.1 Nov 22

OX App Suite 7.10.5 allows XSS via an OX Chat room title during typing rendering. Rated medium severity (CVSS 6.1), this

CVE-2021-33492 MEDIUM POC
6.1 Nov 22

OX App Suite 7.10.5 allows XSS via an OX Chat room name. Rated medium severity (CVSS 6.1), this vulnerability is remotel

CVE-2021-33490 MEDIUM POC
6.1 Nov 22

OX App Suite through 7.10.5 allows XSS via a crafted snippet in a shared mail signature. Rated medium severity (CVSS 6.1

CVE-2021-33489 MEDIUM POC
6.1 Nov 22

OX App Suite through 7.10.5 allows XSS via JavaScript code in a shared XCF file. Rated medium severity (CVSS 6.1), this

Share

CVE-2024-23193 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy