Abuse of 'Show More' Option Could Lead to Malicious Code Execution
CVE-2024-23187

6.1MEDIUM

Key Information:

Vendor: Open-xchange Gmbh
Status: Ox App Suite
Vendor: CVE Published:; 6 May 2024

🔔 Create Open-xchange Gmbh Vulnerability Alert

What is CVE-2024-23187?

Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the vulnerability requires user interaction. Please deploy the provided updates and patch releases. CID replacement has been hardened to omit invalid identifiers. No publicly available exploits are known.

Affected Version(s)

OX App Suite 0 <= 8.21

References

https://documentation.open-xchange.com/appsuite/releases/...

release-notes

https://documentation.open-xchange.com/appsuite/security/...

vendor-advisory

http://seclists.org/fulldisclosure/2024/May/3

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2024
Vulnerability Reserved
Jan 12, 2024