MEDIUM✓ PATCH🇵🇱 Wersja polska

CVE-2023-26456

CVSS 5.4v3.1pub. 2023-11-02upd. 2024-11-21

Users were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code execution, allowing an attacker to build a foothold. Sanitization is in place for product names now. No publicly available exploits are known.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
  • Open Xchange Ox Guard

    APP
    Open-Xchange
    2.10.7< 2.10.7
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEXSS
CWE
References

Related vulnerabilities

CVE-2020-28944HIGH7.5ten sam produkt

OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large a...

CVE-2018-10986HIGH8.8ten sam produkt

OX Guard 2.8.0 has CSRF.

CVE-2015-8542HIGH8.8ten sam produkt

An issue was discovered in Open-Xchange Guard before 2.2.0-rev8. The "getprivkeybyid" API call is used to down...

CVE-2016-4028HIGH7.5ten sam produkt

An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to i...

CVE-2020-9426MEDIUM6.1ten sam produkt

OX Guard 2.10.3 and earlier allows XSS.