Vulnerability Details : CVE-2023-41704
Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script code could be injected to a users sessions when interacting with E-Mails. Please deploy the provided updates and patch releases. CID handing has been improved and resulting content is checked for malicious content. No publicly available exploits are known.
Products affected by CVE-2023-41704
- cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:*:*:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:-:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6069:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6073:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6080:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6085:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6093:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6102:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6112:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6121:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6133:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6138:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6141:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6146:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6147:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6148:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6150:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6156:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6161:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6166:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6173:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6176:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6178:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6189:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6194:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6199:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6205:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6204:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6209:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6210:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6214:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6215:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6216:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6218:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6219:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6220:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6227:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6230:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6233:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6235:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6236:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6239:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6241:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6243:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6245:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6248:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6249:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6250:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6251:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.6:patch_release_6255:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:-:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_3464:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_3519:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_3569:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_3627:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_3728:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_3875:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_3922:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_3949:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_3991:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_4047:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_4133:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_4423:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_4470:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_4552:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_4667:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_4750:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_4789:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_4839:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_4860:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_4895:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_5104:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_5165:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_5231:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_5537:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_5637:*:*:*:*:*:*
- cpe:2.3:a:open-xchange:open-xchange_appsuite:7.6.3:patch_release_5910:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-41704
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 22 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-41704
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST | 2024-10-17 |
7.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |
2.8
|
3.7
|
Open-Xchange | 2024-02-12 |
CWE ids for CVE-2023-41704
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- nvd@nist.gov (Primary)
- security@open-xchange.com (Secondary)
References for CVE-2023-41704
-
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6259_7.10.6_2023-12-11.pdf
Release Notes
-
http://packetstormsecurity.com/files/177130/OX-App-Suite-7.10.6-Cross-Site-Scirpting-Denial-Of-Service.html
OX App Suite 7.10.6 Cross Site Scirpting / Denial Of Service ≈ Packet Storm
-
http://seclists.org/fulldisclosure/2024/Feb/10
Full Disclosure: OXAS-ADV-2023-0007: OX App Suite Security Advisory
-
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0007.json
Vendor Advisory
Jump to