CVE-2023-29045

EPSS 0.16%
Published 02.11.2023 14:15:11
Last modified 21.11.2024 07:56:26
Source security@open-xchange.com
Teams watchlist Login
Open Login

Documents operations, in this case "drawing", could be manipulated to contain invalid data types, possibly script code. Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document. Operation data exchanged between collaborating parties does now gets checked for validity to avoid code execution. No publicly available exploits are known.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Open-xchange ≫ Open-xchange Appsuite Version < 7.10.6

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Update-

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6069

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6073

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6080

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6085

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6093

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6102

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6112

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6121

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6133

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6138

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6141

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6146

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6147

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6148

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6150

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6156

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6161

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6166

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6173

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6176

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6178

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6189

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6194

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6199

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6204

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6205

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6209

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6210

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6214

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6215

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6216

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6218

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6219

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6220

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6227

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6230

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6233

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6235

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6236

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6239

Open-xchange ≫ Open-xchange Appsuite Version7.10.6 Updatepatch_release_6241

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.16%	0.374

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security@open-xchange.com	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0004.json

https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6243_7.10.6_2023-08-01.pdf

Vendor Advisory

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2023-29045

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-29045

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-29045

EUVD