CVE-2023-29048 — OS Command Injection in OX APP Suite

CWE-78 — OS Command Injection3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 40.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Open-xchange OX APP Suite Open-xchange Gmbh OX APP Suite

Timeline

PublishedJan 8

Description

A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. The template engine has been reconfigured to deny execution of harmful commands on a system level. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDopen-xchange/ox_app_suite< 7.10.6+1

▶CVEListV5open-xchange_gmbh/ox_app_suite7.10.6-rev50

🔴Vulnerability Details

CVEList

CVE-2023-29048: A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user↗2024-01-08

▶

GHSA

GHSA-2w87-fjj9-j39h: A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user↗2024-01-08

▶