The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service. Encoding has been added for user-provided fragments that are used when constructing the LDAP query. No publicly available exploits are known.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html | Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2024/Jan/3 | Mailing List Third Party Advisory |
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json | Issue Tracking |
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf | Release Notes |
http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html | Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2024/Jan/3 | Mailing List Third Party Advisory |
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json | Issue Tracking |
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf | Release Notes |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 07:56
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.6 |
References | () http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html - Third Party Advisory, VDB Entry | |
References | () http://seclists.org/fulldisclosure/2024/Jan/3 - Mailing List, Third Party Advisory | |
References | () https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json - Issue Tracking | |
References | () https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf - Release Notes |
12 Jan 2024, 14:24
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.6 |
First Time |
Open-xchange
Open-xchange ox App Suite |
|
CWE | CWE-74 | |
References | () https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json - Issue Tracking | |
References | () https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf - Release Notes | |
References | () http://seclists.org/fulldisclosure/2024/Jan/3 - Mailing List, Third Party Advisory | |
References | () http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html - Third Party Advisory, VDB Entry | |
CPE | cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev10:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev35:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev07:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev11:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev37:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev33:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:8.16:*:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev06:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev24:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev22:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev20:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev13:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev08:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev18:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev28:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev12:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev29:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev04:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev27:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev30:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev09:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:-:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev02:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev21:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:*:*:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev16:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev15:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev34:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev26:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev14:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev01:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev25:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev05:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev03:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev50:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev32:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev23:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev19:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev36:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev17:*:*:*:*:*:* cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev31:*:*:*:*:*:* |
12 Jan 2024, 07:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
09 Jan 2024, 18:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Jan 2024, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
08 Jan 2024, 09:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-08 09:15
Updated : 2024-11-21 07:56
NVD link : CVE-2023-29050
Mitre link : CVE-2023-29050
CVE.ORG link : CVE-2023-29050
JSON object : View
Products Affected
open-xchange
- ox_app_suite