CVE-2023-26447Cross-site Scripting in Software Gmbh OX APP Suite

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.1%
top 75.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
OX Software Gmbh OX APP SuiteOpen-xchange Appsuite Frontend
Timeline
PublishedAug 2

Description

The "upsell" widget for the portal allows to specify a product description. This description taken from a user-controllable jslob did not get escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize jslob content. No publi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5ox_software_gmbh/ox_app_suite7.10.6-rev27

🔴Vulnerability Details

2
CVEList
CVE-2023-26447: The "upsell" widget for the portal allows to specify a product description2023-08-02
GHSA
GHSA-qfq4-f9vc-vv2j: The "upsell" widget for the portal allows to specify a product description2023-08-02
CVE-2023-26447 — Cross-site Scripting | cvebase