Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known.
References
Configurations
Configuration 1 (hide)
|
History
12 Jan 2024, 07:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
09 Nov 2023, 19:26
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6189:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6173:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6147:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6233:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6069:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6138:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6141:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6161:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6146:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6219:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6199:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6150:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6176:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6204:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6239:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6230:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6156:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6112:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6227:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6209:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6236:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6218:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6235:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6080:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6133:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6214:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6220:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6205:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6216:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6148:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6085:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:-:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6073:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6102:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6178:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6121:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6215:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6241:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6194:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6166:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6093:*:*:*:*:*:* cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6210:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
First Time |
Open-xchange open-xchange Appsuite
Open-xchange |
|
CWE | CWE-89 | |
References | (MISC) https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf - Release Notes, Vendor Advisory | |
References | (MISC) https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0004.json - Vendor Advisory |
02 Nov 2023, 14:26
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-11-02 14:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-26452
Mitre link : CVE-2023-26452
CVE.ORG link : CVE-2023-26452
JSON object : View
Products Affected
open-xchange
- open-xchange_appsuite
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')