CVE-2024-23188 — Cross-site Scripting in Gmbh OX APP Suite

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 71.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Open-xchange Gmbh OX APP Suite

Timeline

PublishedMay 6

Description

Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session. Common user interaction is required for the vulnerability to trigger. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer methods of handling external content when embedding attachment information to the web interface. No publicly available exploit…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages1 packages

▶CVEListV5open-xchange_gmbh/ox_app_suite8.21

🔴Vulnerability Details

CVEList

CVE-2024-23188: Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session↗2024-05-06

▶

GHSA

GHSA-c7gh-gc4c-px6v: Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session↗2024-05-06

▶