CVE-2023-26456Cross-site Scripting in OX Guard

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.2%
top 63.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Open-xchange OX GuardOX Software Gmbh OX APP Suite
Timeline
PublishedNov 2

Description

Users were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code execution, allowing an attacker to build a foothold. Sanitization is in place for product names now. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

NVDopen-xchange/ox_guard< 2.10.7+1
CVEListV5ox_software_gmbh/ox_app_suite2.10.7-rev6

🔴Vulnerability Details

2
GHSA
GHSA-xmj4-pwxq-wq63: Users were able to set an arbitrary "product name" for OX Guard2023-11-02
CVEList
CVE-2023-26456: Users were able to set an arbitrary "product name" for OX Guard2023-11-02
CVE-2023-26456 — Cross-site Scripting in OX Guard | cvebase