What is CVE-2023-26456?

CVE-2023-26456 is a vulnerability that allows for indirect cross-site scripting attacks in Open-Xchange OX Guard.

How severe is CVE-2023-26456?

CVE-2023-26456 has a severity rating of medium with a CVSS score of 5.4.

How does CVE-2023-26456 affect Open-Xchange OX Guard?

CVE-2023-26456 affects Open-Xchange OX Guard versions up to and including 2.10.7.

How can CVE-2023-26456 be exploited?

CVE-2023-26456 can be exploited by setting an arbitrary product name in OX Guard, which is not properly sanitized, allowing for indirect cross-site scripting attacks.

Is there a patch available for CVE-2023-26456?

Yes, a patch is available for CVE-2023-26456. Please refer to the Open-Xchange documentation and release notes for more information.

Vulnerability/
CVE-2023-26456

medium

5.4

CWE

2/11/2023

3/12/2024

CVE-2023-26456: XSS

First published: Thu Nov 02 2023(Updated: )

Users were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code execution, allowing an attacker to build a foothold. Sanitization is in place for product names now. No publicly available exploits are known.

Credit: security@open-xchange.com

Affected Software	Affected Version	How to fix
	<2.10.7
	=2.10.7
	=2.10.7-rev4
	=2.10.7-rev5
	=2.10.7-rev6

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-26456?
CVE-2023-26456 is a vulnerability that allows for indirect cross-site scripting attacks in Open-Xchange OX Guard.
How severe is CVE-2023-26456?
CVE-2023-26456 has a severity rating of medium with a CVSS score of 5.4.
How does CVE-2023-26456 affect Open-Xchange OX Guard?
CVE-2023-26456 affects Open-Xchange OX Guard versions up to and including 2.10.7.
How can CVE-2023-26456 be exploited?
CVE-2023-26456 can be exploited by setting an arbitrary product name in OX Guard, which is not properly sanitized, allowing for indirect cross-site scripting attacks.
Is there a patch available for CVE-2023-26456?
Yes, a patch is available for CVE-2023-26456. Please refer to the Open-Xchange documentation and release notes for more information.

agent/type
agent/first-publish-date
agent/author
agent/weakness
agent/references
agent/severity
agent/softwarecombine
agent/event
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/tags
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/source
vendor/open-xchange
canonical/open-xchange ox guard
version/open-xchange ox guard/2.10.7
version/open-xchange ox guard/2.10.7-rev4
version/open-xchange ox guard/2.10.7-rev5
version/open-xchange ox guard/2.10.7-rev6

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.