CVE-2023-26451

CVSS V2 None CVSS V3 None

Description

Functions with insufficient randomness were used to generate authorization tokens of the integrated oAuth Authorization Service. Authorization codes were predictable for third parties and could be used to intercept and take over the client authorization process. As a result, other users accounts could be compromised. The oAuth Authorization Service is not enabled by default. We have updated the implementation to use sources with sufficient randomness to generate authorization tokens. No publicly available exploits are known.

Overview

CVE ID
CVE-2023-26451

Assigner
OX

Vulnerability Status
PUBLISHED

Published Version
2023-08-02T12:23:47.407Z

Last Modified Date
2024-01-12T07:08:44.957Z

Weakness Enumerations

CWE	URL
CWE-330	http://cwe.mitre.org/data/definitions/330.html

References

Reference URL	Reference Tags
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdf	release-notes
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.json	vendor-advisory
http://seclists.org/fulldisclosure/2023/Aug/8
http://packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.html

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-26451
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26451

History

Created	Old Value	New Value	Data Type	Notes
2024-06-24 23:21:28				Added to TrackCVE