CVE-2023-29052

Users were able to define disclaimer texts for an upsell shop dialog that would contain script code that was not sanitized correctly. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added sanitization for this content. No publicly available exploits are known.

CVSS v3.0 5.4 MEDIUM

5.4^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6251_7.10.6_2023-09-25.pdf	Release Notes
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0006.json	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev01::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev02::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev03::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev04::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev05::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev06::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev07::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev08::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev09::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev10::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev11::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev12::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev13::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev14::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev15::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev16::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev17::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev18::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev19::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev20::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev21::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev22::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev23::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev24::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev25::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev26::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev27::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev28::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev29::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev30::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:-::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev34::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev33::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev32::::::
	cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev31::::::

History

22 Jan 2024, 11:15

Type	Values Removed	Values Added
References	~~{'url': 'http://seclists.org/fulldisclosure/2024/Jan/4', 'name': 'http://seclists.org/fulldisclosure/2024/Jan/4', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': ''}~~ {'url': 'http://packetstormsecurity.com/files/176422/OX-App-Suite-7.10.6-Access-Control-Cross-Site-Scripting.html', 'name': 'http://packetstormsecurity.com/files/176422/OX-App-Suite-7.10.6-Access-Control-Cross-Site-Scripting.html', 'tags': ['Third Party Advisory', 'VDB Entry'], 'refsource': ''}
Summary	Users were able to define disclaimer texts for an upsell shop dialog that would contain script code that was not sanitized correctly. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added sanitization for this content. No publicly available exploits are known.	Users were able to define disclaimer texts for an upsell shop dialog that would contain script code that was not sanitized correctly. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added sanitization for this content. No publicly available exploits are known.

12 Jan 2024, 14:27

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
CWE		CWE-79
First Time		Open-xchange Open-xchange ox App Suite
CPE		cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev27:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev34:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev22:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev18:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev15:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev32:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev24:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev13:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev03:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev26:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev08:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev33:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev01:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev23:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev02:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev06:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev05:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev31:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev07:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev30:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev10:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev25:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev28:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev12:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev17:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev16:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:-:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev14:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev21:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev19:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev20:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev04:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev09:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev29:::::: cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev11::::::
References	~~() http://seclists.org/fulldisclosure/2024/Jan/4 -~~	() http://seclists.org/fulldisclosure/2024/Jan/4 - Mailing List, Third Party Advisory
References	~~() https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0006.json -~~	() https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0006.json - Issue Tracking
References	~~() http://packetstormsecurity.com/files/176422/OX-App-Suite-7.10.6-Access-Control-Cross-Site-Scripting.html -~~	() http://packetstormsecurity.com/files/176422/OX-App-Suite-7.10.6-Access-Control-Cross-Site-Scripting.html - Third Party Advisory, VDB Entry
References	~~() https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6251_7.10.6_2023-09-25.pdf -~~	() https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6251_7.10.6_2023-09-25.pdf - Release Notes

12 Jan 2024, 07:15

Type	Values Removed	Values Added
References	{'url': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0006.json', 'name': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0006.json', 'tags': [], 'refsource': ''}	() https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0006.json -

09 Jan 2024, 18:15

Type	Values Removed	Values Added
References		() http://packetstormsecurity.com/files/176422/OX-App-Suite-7.10.6-Access-Control-Cross-Site-Scripting.html -

08 Jan 2024, 23:15

Type	Values Removed	Values Added
References		() http://seclists.org/fulldisclosure/2024/Jan/4 -

08 Jan 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-08 09:15

Updated : 2024-01-22 11:15

NVD link : CVE-2023-29052

Mitre link : CVE-2023-29052

JSON object : View

Products Affected

open-xchange

ox_app_suite

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10