Malicious E-Mail Attachment Names Could Trigger Code Execution and API Requests
CVE-2024-23188

6.5MEDIUM

Key Information:

Vendor: Open-xchange Gmbh
Status: Ox App Suite
Vendor: CVE Published:; 6 May 2024

🔔 Create Open-xchange Gmbh Vulnerability Alert

What is CVE-2024-23188?

Maliciously crafted E-Mail attachment names could be used to temporarily execute script code in the context of the users browser session. Common user interaction is required for the vulnerability to trigger. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. We now use safer methods of handling external content when embedding attachment information to the web interface. No publicly available exploits are known.

Affected Version(s)

OX App Suite 0 <= 8.21

References

https://documentation.open-xchange.com/appsuite/releases/...

release-notes

https://documentation.open-xchange.com/appsuite/security/...

vendor-advisory

http://seclists.org/fulldisclosure/2024/May/3

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2024
Vulnerability Reserved
Jan 12, 2024