CVE-2023-26435

CVSS V2 None CVSS V3 None

Description

It was possible to call filesystem and network references using the local LibreOffice instance using manipulated ODT documents. Attackers could discover restricted network topology and services as well as including local files with read permissions of the open-xchange system user. This was limited to specific file-types, like images. We have improved existing content filters and validators to avoid including any local resources. No publicly available exploits are known.

Overview

CVE ID
CVE-2023-26435

Assigner
OX

Vulnerability Status
PUBLISHED

Published Version
2023-06-20T07:51:58.299Z

Last Modified Date
2024-01-12T07:13:46.277Z

Weakness Enumerations

CWE	URL
CWE-918	http://cwe.mitre.org/data/definitions/918.html

References

Reference URL	Reference Tags
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6219_7.10.6_2023-03-20.pdf	release-notes
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0002.json	vendor-advisory
http://seclists.org/fulldisclosure/2023/Jun/8
http://packetstormsecurity.com/files/173083/OX-App-Suite-SSRF-Resource-Consumption-Command-Injection.html

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-26435
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26435

History

Created	Old Value	New Value	Data Type	Notes
2024-06-24 23:22:09				Added to TrackCVE