CVE-2023-26441

Опубликовано: 02 авг. 2023

Источник: nvd

CVSS3: 5.7

CVSS3: 5.5

EPSS Низкий

Описание

Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An attacker with access to the database and a local or restricted network would be able to read arbitrary local file system resources that are accessible by the services system user account. We have improved path validation and make sure that any access is contained to the defined root directory. No publicly available exploits are known.

Ссылки

http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2023/Aug/8
Mailing List
Third Party Advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf
Release Notes
http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2023/Aug/8
Mailing List
Third Party Advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf
Release Notes

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:open-xchange:open-xchange_appsuite_office:*:*:*:*:*:*:*:*

Версия до 8.11 (исключая)

EPSS

Процентиль: 10%

0.00035

Низкий

5.7 Medium

CVSS3

5.5 Medium

CVSS3

Дефекты

CWE-200

CWE-22

Связанные уязвимости

GHSA-xq7r-2vx2-8jgj

CVSS3: 5.7

github

больше 2 лет назад

EPSS

Процентиль: 10%

0.00035

Низкий

5.7 Medium

CVSS3

5.5 Medium

CVSS3

Дефекты

CWE-200

CWE-22