CVE-2023-26435

It was possible to call filesystem and network references using the local LibreOffice instance using manipulated ODT documents. Attackers could discover restricted network topology and services as well as including local files with read permissions of the open-xchange system user. This was limited to specific file-types, like images. We have improved existing content filters and validators to avoid including any local resources. No publicly available exploits are known.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:revision_39:*:*:*:*:*:*

History

12 Jan 2024, 08:15

Type Values Removed Values Added
References
  • {'url': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json', 'name': 'https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json', 'tags': ['Third Party Advisory'], 'refsource': 'MISC'}
  • () https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json -

06 Jul 2023, 16:52

Type Values Removed Values Added
References (MISC) http://seclists.org/fulldisclosure/2023/Jun/8 - (MISC) http://seclists.org/fulldisclosure/2023/Jun/8 - Mailing List, Third Party Advisory
References (MISC) http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html - (MISC) http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html - Third Party Advisory, VDB Entry
References (MISC) https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf - (MISC) https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf - Release Notes
References (MISC) https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json - (MISC) https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0002.json - Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.0
First Time Open-xchange
Open-xchange open-xchange Appsuite Backend
CWE CWE-918
CPE cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:*:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:*:*:*:*:*:*:*
cpe:2.3:a:open-xchange:open-xchange_appsuite_backend:7.10.6:revision_39:*:*:*:*:*:*

22 Jun 2023, 15:15

Type Values Removed Values Added
References
  • (MISC) http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html -

22 Jun 2023, 00:15

Type Values Removed Values Added
References
  • (MISC) http://seclists.org/fulldisclosure/2023/Jun/8 -

20 Jun 2023, 13:03

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-20 08:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-26435

Mitre link : CVE-2023-26435

CVE.ORG link : CVE-2023-26435


JSON object : View

Products Affected

open-xchange

  • open-xchange_appsuite_backend
CWE
CWE-918

Server-Side Request Forgery (SSRF)