CVE-2023-26455 — Improper Authentication in Appsuite

CWE-287 — Improper Authentication3 documents3 sources

Severity

7.8HIGHNVD

CNA5.6

EPSS

0.0%

top 92.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Open-xchange Appsuite OX Software Gmbh OX APP Suite

Timeline

PublishedNov 2

Description

RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default. The interface has been updated to require authenticated requests. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDopen-xchange/open-xchange_appsuite< 7.10.6+1

▶CVEListV5ox_software_gmbh/ox_app_suite7.10.6-rev48+1

🔴Vulnerability Details

CVEList

CVE-2023-26455: RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer↗2023-11-02

▶

GHSA

GHSA-9wv2-mrrp-v8g7: RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer↗2023-11-02

▶