CVE-2023-26441

CVSS V2 None CVSS V3 None

Description

Cacheservice did not correctly check if relative cache object were pointing to the defined absolute location when accessing resources. An attacker with access to the database and a local or restricted network would be able to read arbitrary local file system resources that are accessible by the services system user account. We have improved path validation and make sure that any access is contained to the defined root directory. No publicly available exploits are known.

Overview

CVE ID
CVE-2023-26441

Assigner
OX

Vulnerability Status
PUBLISHED

Published Version
2023-08-02T12:23:09.844Z

Last Modified Date
2024-01-12T07:12:52.505Z

Weakness Enumerations

CWE	URL
CWE-200	http://cwe.mitre.org/data/definitions/200.html

References

Reference URL	Reference Tags
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf	release-notes
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json	vendor-advisory
http://seclists.org/fulldisclosure/2023/Aug/8
http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-26441
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26441

History

Created	Old Value	New Value	Data Type	Notes
2024-06-24 23:25:00				Added to TrackCVE