CVE-2023-26445: XSS
First published: Wed Aug 02 2023(Updated: )
Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the theme value and use a default fallback if no theme matches. No publicly available exploits are known.
Credit: security@open-xchange.com security@open-xchange.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| <=7.10.6 | ||
| Open-xchange Open-xchange Appsuite Frontend | <=7.10.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf
- https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json
- http://seclists.org/fulldisclosure/2023/Aug/8
- http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html
- https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0003.json
Frequently Asked Questions
What is CVE-2023-26445?
CVE-2023-26445 is a vulnerability in Open-xchange Appsuite Frontend where user-controllable jslob settings can point to a malicious resource that gets processed during login, leading to session hijacking or triggering unwanted actions.
Which software versions are affected by CVE-2023-26445?
Open-xchange Appsuite Frontend versions up to and including 7.10.6 are affected by CVE-2023-26445.
What is the severity of CVE-2023-26445?
CVE-2023-26445 has a severity rating of 5.4 (medium).
How can CVE-2023-26445 be exploited?
CVE-2023-26445 can be exploited by an attacker controlling the jslob settings to point to a malicious resource, which will then be processed during login and allow for the execution of malicious script code within the victim's context.
How can I mitigate CVE-2023-26445?
To mitigate CVE-2023-26445, users should update to a version of Open-xchange Appsuite Frontend that is not affected by the vulnerability (higher than 7.10.6) and ensure that the jslob settings are not user-controllable or restrict user input to prevent the pointing to malicious resources.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- collector/nvd-latest
- vendor/open-xchange
- canonical/open-xchange open-xchange appsuite frontend
- version/open-xchange open-xchange appsuite frontend/7.10.6