CVE-2024-23187 — Cross-site Scripting in OX APP Suite

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

CNA6.5

EPSS

0.5%

top 35.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Open-xchange OX APP Suite Open-xchange Gmbh OX APP Suite

Timeline

PublishedMay 6

Description

Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the vulnerability requires user interaction. Please deploy the provided updates and patch releases. CID replacement has been hardened to omit invalid identifiers. No publicly available exploits are known.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDopen-xchange/ox_app_suite< 8.22

▶CVEListV5open-xchange_gmbh/ox_app_suite8.21

🔴Vulnerability Details

CVEList

CVE-2024-23187: Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option↗2024-05-06

▶

GHSA

GHSA-2r8w-gh9h-q7vh: Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option↗2024-05-06

▶