CVE-2023-26449
CVSS 3.1 Score 5.4 of 10 (medium)
Details
Summary
CVE-2023-26449: The "OX Chat" web service fails to specify media-types when processing responses from external resources, leaving it susceptible to script injection attacks. Malicious code can be executed in the victim's context, potentially leading to session hijacking or unwanted actions through both the web interface and API. Exploitation requires temporary account access or luring a user to a compromised account. To mitigate this, the accepted media-types are now being defined to prevent code execution. No publicly known exploits are available at this time.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Open-xchange Appsuite Frontend