6.5
CVE-2023-26428
- EPSS 0.18%
- Published 20.06.2023 08:15:09
- Last modified 21.11.2024 07:51:25
- Source security@open-xchange.com
- Teams watchlist Login
- Open Login
Attackers can successfully request arbitrary snippet IDs, including E-Mail signatures of other users within the same context. Signatures of other users could be read even though they are not explicitly shared. We improved permission handling when requesting snippets that are not explicitly shared with other users. No publicly available exploits are known.
Data is provided by the National Vulnerability Database (NVD)
Open-xchange ≫ Open-xchange Appsuite Backend Version < 7.10.6
Open-xchange ≫ Open-xchange Appsuite Backend Version >= 8.0.0 < 8.11.0
Open-xchange ≫ Open-xchange Appsuite Backend Version7.10.6
Open-xchange ≫ Open-xchange Appsuite Backend Version7.10.6 Updaterevision_39
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.18% | 0.407 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| security@open-xchange.com | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.