CVE-2023-29049 — Cross-site Scripting in OX APP Suite

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

CNA5.4

EPSS

0.2%

top 55.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Open-xchange OX APP Suite Open-xchange Gmbh OX APP Suite

Timeline

PublishedJan 8

Description

The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. User input for this widget is now sanitized to avoid malicious content the be processed. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDopen-xchange/ox_app_suite< 7.10.6+1

▶CVEListV5open-xchange_gmbh/ox_app_suite7.10.6-rev33

🔴Vulnerability Details

GHSA

GHSA-pgpx-675x-4jcv: The "upsell" widget at the portal page could be abused to inject arbitrary script code↗2024-01-08

▶

CVEList

CVE-2023-29049: The "upsell" widget at the portal page could be abused to inject arbitrary script code↗2024-01-08

▶