CVE-2023-26429

Control characters were not removed when exporting user feedback content. This allowed attackers to include unexpected content via user feedback and potentially break the exported data structure. We now drop all control characters that are not whitespace character during the export. No publicly available exploits are known.

Published: Jun 20, 2023
Updated: Jul 8, 2023
CVE: CVE-2023-26429
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWEs:

CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
open-xchange / open-xchange_appsuite_backend	-	7.10.6
open-xchange / open-xchange_appsuite_backend	7.10.6	7.10.6.x
open-xchange / open-xchange_appsuite_backend	7.10.6-revision_39	7.10.6-revision_39.x
open-xchange / open-xchange_appsuite_backend	8.0.0	8.11.0

http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html
http://seclists.org/fulldisclosure/2023/Jun/8
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json
https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf

Vulnerability Database

289,697

CVE-2023-26429