CVE-2023-26429

Опубликовано: 20 июн. 2023

Источник: nvd

CVSS3: 3.5

CVSS3: 5.3

EPSS Низкий

Описание

Control characters were not removed when exporting user feedback content. This allowed attackers to include unexpected content via user feedback and potentially break the exported data structure. We now drop all control characters that are not whitespace character during the export. No publicly available exploits are known.

Ссылки

http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2023/Jun/8
Mailing List
Third Party Advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf
Release Notes
http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2023/Jun/8
Mailing List
Third Party Advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf
Release Notes

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*

Версия до 7.10.6 (исключая)

cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*

Версия от 8.0.0 (включая) до 8.11.0 (исключая)

cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:*:*:*:*:*:*:*

cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:revision_39:*:*:*:*:*:*

EPSS

Процентиль: 34%

0.00135

Низкий

3.5 Low

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-77

Связанные уязвимости

GHSA-q84v-pwf5-wm4x

CVSS3: 3.5

github

больше 2 лет назад

EPSS

Процентиль: 34%

0.00135

Низкий

3.5 Low

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-77