CVE-2023-26429: Command Injection
First published: Tue Jun 20 2023(Updated: )
Control characters were not removed when exporting user feedback content. This allowed attackers to include unexpected content via user feedback and potentially break the exported data structure. We now drop all control characters that are not whitespace character during the export. No publicly available exploits are known.
Credit: security@open-xchange.com security@open-xchange.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <7.10.6 | ||
| >=8.0.0<8.11.0 | ||
| =7.10.6 | ||
| =7.10.6-revision_39 | ||
| Open-xchange Open-xchange Appsuite Backend | <7.10.6 | |
| Open-xchange Open-xchange Appsuite Backend | >=8.0.0<8.11.0 | |
| Open-xchange Open-xchange Appsuite Backend | =7.10.6 | |
| Open-xchange Open-xchange Appsuite Backend | =7.10.6-revision_39 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json
- http://seclists.org/fulldisclosure/2023/Jun/8
- http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html
- https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json
Frequently Asked Questions
What is CVE-2023-26429?
CVE-2023-26429 is a vulnerability in Open-xchange AppSuite Backend that allowed attackers to include unexpected content via user feedback and potentially break the exported data structure.
What is the severity of CVE-2023-26429?
CVE-2023-26429 has a severity rating of medium with a severity value of 5.3.
How does CVE-2023-26429 affect Open-xchange AppSuite Backend?
CVE-2023-26429 affects Open-xchange AppSuite Backend versions up to and including 7.10.6 and versions between 8.0.0 and 8.11.0.
How can CVE-2023-26429 be fixed?
To fix CVE-2023-26429, update Open-xchange AppSuite Backend to a version that is not affected by the vulnerability.
Are there any references related to CVE-2023-26429?
Yes, you can find references related to CVE-2023-26429 at the following links: [http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html](http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html), [http://seclists.org/fulldisclosure/2023/Jun/8](http://seclists.org/fulldisclosure/2023/Jun/8), [https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json](https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- vendor/open-xchange
- canonical/open-xchange open-xchange appsuite backend
- version/open-xchange open-xchange appsuite backend/8.0.0
- version/open-xchange open-xchange appsuite backend/7.10.6
- version/open-xchange open-xchange appsuite backend/7.10.6-revision_39