Open-Xchange Appsuite Office vulnerabilities

CVE-2023-26439 [HIGH] CWE-89 CVE-2023-26439: The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently s The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. Attackers with access to a local or restricted network were able to perform arbitrary SQL queries, discovering other users cached data. We have improved the input check for API calls and filter for poten

CVE-2023-26440 [HIGH] CWE-89 CVE-2023-26440: The cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insuf The cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be executed when creating new cache groups. Attackers with access to a local or restricted network could perform arbitrary SQL queries. We have improved the input check for API calls and filter for potentially maliciou

CVE-2023-26441 [MEDIUM] CWE-200 CVE-2023-26441: Cacheservice did not correctly check if relative cache object were pointing to the defined absolute Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An attacker with access to the database and a local or restricted network would be able to read arbitrary local file system resources that are accessible by the services system user account. We have improved path vali

CVE-2023-26442 [LOW] CWE-918 CVE-2023-26442: In case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP re In case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend. An attacker with access to a local or restricted network with the capability to intercept and replay HTTP requests to sproxyd (or who is in control of the sproxyd service) could perform a server-side request-forgery attack