CVE-2023-26443

Опубликовано: 02 авг. 2023

Источник: nvd

CVSS3: 5.5

CVSS3: 9.8

EPSS Низкий

Описание

Full-text autocomplete search allows user-provided SQL syntax to be injected to SQL statements. With existing sanitization in place, this can be abused to trigger benign SQL Exceptions but could potentially be escalated to a malicious SQL injection vulnerability. We now properly encode single quotes for SQL FULLTEXT queries. No publicly available exploits are known.

Ссылки

http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2023/Aug/8
Mailing List
Third Party Advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf
Release Notes
http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html
Third Party Advisory
VDB Entry
http://seclists.org/fulldisclosure/2023/Aug/8
Mailing List
Third Party Advisory
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf
Release Notes

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*

Версия до 7.10.6 (включая)

cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*

Версия от 8.10.0 (включая) до 8.12 (включая)

EPSS

Процентиль: 15%

0.00049

Низкий

5.5 Medium

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-89

Связанные уязвимости

GHSA-c2rq-xcq6-frfg

CVSS3: 5.5

github

больше 2 лет назад

EPSS

Процентиль: 15%

0.00049

Низкий

5.5 Medium

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-89