CVE-2024-23192

RSS feeds that contain malicious data- attributes could be abused to inject script code to a users browser session when reading compromised RSS feeds or successfully luring users to compromised accounts. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. Potentially malicious attributes now get removed from external RSS content. No publicly available exploits are known.
Configurations

No configuration.

History

21 Nov 2024, 08:57

Type Values Removed Values Added
References () https://documentation.open-xchange.com/appsuite/releases/8.21/ - () https://documentation.open-xchange.com/appsuite/releases/8.21/ -
References () https://documentation.open-xchange.com/appsuite/releases/8.22/ - () https://documentation.open-xchange.com/appsuite/releases/8.22/ -
References () https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0001.json - () https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0001.json -
References () https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6268_7.10.6_2024-02-08.pdf - () https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6268_7.10.6_2024-02-08.pdf -

11 Apr 2024, 11:15

Type Values Removed Values Added
References
  • {'url': 'http://seclists.org/fulldisclosure/2024/Apr/18', 'source': 'security@open-xchange.com'}

11 Apr 2024, 08:15

Type Values Removed Values Added
References
  • () http://seclists.org/fulldisclosure/2024/Apr/18 -

08 Apr 2024, 18:48

Type Values Removed Values Added
Summary
  • (es) Se podría abusar de los canales RSS que contienen atributos de datos maliciosos para inyectar código de secuencia de comandos en la sesión del navegador de un usuario cuando se leen canales RSS comprometidos o se atrae con éxito a los usuarios a cuentas comprometidas. Los atacantes podrían realizar solicitudes API maliciosas o extraer información de la cuenta del usuario. Implemente las actualizaciones y lanzamientos de parches proporcionados. Los atributos potencialmente maliciosos ahora se eliminan del contenido RSS externo. No se conocen exploits disponibles públicamente.

08 Apr 2024, 11:15

Type Values Removed Values Added
References
  • () https://documentation.open-xchange.com/appsuite/releases/8.21/ -
  • () https://documentation.open-xchange.com/appsuite/releases/8.22/ -
  • () https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6268_7.10.6_2024-02-08.pdf -

08 Apr 2024, 09:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-04-08 09:15

Updated : 2024-11-21 08:57


NVD link : CVE-2024-23192

Mitre link : CVE-2024-23192

CVE.ORG link : CVE-2024-23192


JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')