CVE-2023-26429 — Command Injection in Appsuite Backend

CWE-77 — Command Injection3 documents3 sources

Severity

5.3MEDIUMNVD

CNA3.5

EPSS

0.2%

top 61.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Open-xchange Appsuite Backend OX Software Gmbh OX APP Suite

Timeline

PublishedJun 20

Description

Control characters were not removed when exporting user feedback content. This allowed attackers to include unexpected content via user feedback and potentially break the exported data structure. We now drop all control characters that are not whitespace character during the export. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDopen-xchange/open-xchange_appsuite_backend8.0.0 — 8.11.0+2

▶CVEListV5ox_software_gmbh/ox_app_suite7.10.6-rev39+1

🔴Vulnerability Details

CVEList

CVE-2023-26429: Control characters were not removed when exporting user feedback content↗2023-06-20

▶

GHSA

GHSA-q84v-pwf5-wm4x: Control characters were not removed when exporting user feedback content↗2023-06-20

▶