CVE-2023-26447 in OX App Suiteinformazioni

Riassunto

di MITRE • 02/08/2023

The "upsell" widget for the portal allows to specify a product description. This description taken from a user-controllable jslob did not get escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize jslob content. No publicly available exploits are known.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Responsabile

Open-Xchange

Prenotare

22/02/2023

Divulgazione

02/08/2023

Moderazione

accettato

CPE

pronto

EPSS

0.00558

KEV

no

Attività

molto basso

Fonti

Might our Artificial Intelligence support you?

Check our Alexa App!