The cacheservice API could be abused to indirectly inject parameters with SQL syntax which was insufficiently sanitized and would later be executed when creating new cache groups. Attackers with access to a local or restricted network could perform arbitrary SQL queries. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html | Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2023/Aug/8 | Mailing List Third Party Advisory |
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json | |
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf | Release Notes |
Configurations
History
12 Jan 2024, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
08 Aug 2023, 18:18
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.8 |
First Time |
Open-xchange open-xchange Appsuite Office
Open-xchange |
|
References | (MISC) http://seclists.org/fulldisclosure/2023/Aug/8 - Mailing List, Third Party Advisory | |
References | (MISC) https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf - Release Notes | |
References | (MISC) http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html - Third Party Advisory, VDB Entry | |
References | (MISC) https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0003.json - Vendor Advisory | |
CPE | cpe:2.3:a:open-xchange:open-xchange_appsuite_office:*:*:*:*:*:*:*:* | |
CWE | CWE-89 |
03 Aug 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Aug 2023, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
02 Aug 2023, 13:30
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-08-02 13:15
Updated : 2024-01-12 08:15
NVD link : CVE-2023-26440
Mitre link : CVE-2023-26440
CVE.ORG link : CVE-2023-26440
JSON object : View
Products Affected
open-xchange
- open-xchange_appsuite_office
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')