CVE-2023-26443 — SQL Injection in Software Gmbh OX APP Suite

CWE-89 — SQL Injection3 documents3 sources

Severity

9.8CRITICALNVD

CNA5.5

EPSS

0.0%

top 84.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

OX Software Gmbh OX APP Suite Open-xchange Appsuite Backend

Timeline

PublishedAug 2

Description

Full-text autocomplete search allows user-provided SQL syntax to be injected to SQL statements. With existing sanitization in place, this can be abused to trigger benign SQL Exceptions but could potentially be escalated to a malicious SQL injection vulnerability. We now properly encode single quotes for SQL FULLTEXT queries. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5ox_software_gmbh/ox_app_suite7.10.6-rev42+1

▶NVDopen-xchange/open-xchange_appsuite_backend8.10.0 — 8.12+1

🔴Vulnerability Details

CVEList

CVE-2023-26443: Full-text autocomplete search allows user-provided SQL syntax to be injected to SQL statements↗2023-08-02

▶

GHSA

GHSA-c2rq-xcq6-frfg: Full-text autocomplete search allows user-provided SQL syntax to be injected to SQL statements↗2023-08-02

▶