CVE-2023-26430 — Command Injection in Software Gmbh OX APP Suite

CWE-77 — Command Injection3 documents3 sources

Severity

4.3MEDIUMNVD

CNA3.5

EPSS

0.1%

top 80.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

OX Software Gmbh OX APP Suite Open-xchange Appsuite Backend

Timeline

PublishedAug 2

Description

Attackers with access to user accounts can inject arbitrary control characters to SIEVE mail-filter rules. This could be abused to access SIEVE extension that are not allowed by App Suite or to inject rules which would break per-user filter processing, requiring manual cleanup of such rules. We have added sanitization to all mail-filter APIs to avoid forwardning control characters to subsystems. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5ox_software_gmbh/ox_app_suite7.10.6-rev42+1

▶NVDopen-xchange/open-xchange_appsuite_backend7.10.6, 8.10.0+1

🔴Vulnerability Details

CVEList

CVE-2023-26430: Attackers with access to user accounts can inject arbitrary control characters to SIEVE mail-filter rules↗2023-08-02

▶

GHSA

GHSA-9rfr-rprq-pv78: Attackers with access to user accounts can inject arbitrary control characters to SIEVE mail-filter rules↗2023-08-02

▶