CVE-2023-41710 — Cross-site Scripting in OX APP Suite

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.1%

top 64.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Open-xchange OX APP Suite Open-xchange Gmbh OX APP Suite

Timeline

PublishedJan 8

Description

User-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added sanitization for this content. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDopen-xchange/ox_app_suite< 7.10.6+1

▶CVEListV5open-xchange_gmbh/ox_app_suite7.10.6-rev34

🔴Vulnerability Details

CVEList

CVE-2023-41710: User-defined script code could be stored for a upsell related shop URL↗2024-01-08

▶

GHSA

GHSA-9rm8-w7j5-j66w: User-defined script code could be stored for a upsell related shop URL↗2024-01-08

▶