CVE-2024-23186 — Cross-site Scripting in OX APP Suite

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

CNA6.5

EPSS

0.4%

top 36.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Open-xchange OX APP Suite Open-xchange Gmbh OX APP Suite

Timeline

PublishedMay 6

Description

E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer methods of handling external content when embedding displayname information to the web interface. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDopen-xchange/ox_app_suite< 8.22

▶CVEListV5open-xchange_gmbh/ox_app_suite8.21

🔴Vulnerability Details

CVEList

CVE-2024-23186: E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices↗2024-05-06

▶

GHSA

GHSA-c44v-j563-f268: E-Mail containing malicious display-name information could trigger client-side script execution when using specific mobile devices↗2024-05-06

▶