CVE-2024-23187 - OpenCVE

Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the vulnerability requires user interaction. Please deploy the provided updates and patch releases. CID replacement has been hardened to omit invalid identifiers. No publicly available exploits are known.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2024/May/3
https://documentation.open-xchange.com/appsuite/releases/8.22/
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0002.json

History

No history.

MITRE

Status: PUBLISHED

Assigner: OX

Published: 2024-05-06T06:36:39.282Z

Updated: 2024-08-01T22:59:32.012Z

Reserved: 2024-01-12T07:03:12.862Z

Link: CVE-2024-23187

Vulnrichment

Updated: 2024-08-01T22:59:32.012Z

NVD

Status : Awaiting Analysis

Published: 2024-05-06T07:15:06.850

Modified: 2024-05-07T01:15:06.333

Link: CVE-2024-23187

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23187", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2024-01-12T07:03:12.862Z", "datePublished": "2024-05-06T06:36:39.282Z", "dateUpdated": "2024-08-01T22:59:32.012Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["backend"], "product": "OX App Suite", "vendor": "Open-Xchange GmbH", "versions": [{"lessThanOrEqual": "8.21", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the \"show more\" option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the vulnerability requires user interaction. Please deploy the provided updates and patch releases. CID replacement has been hardened to omit invalid identifiers. No publicly available exploits are known."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "cwe"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2024-05-06T06:36:39.282Z"}, "references": [{"tags": ["release-notes"], "url": "https://documentation.open-xchange.com/appsuite/releases/8.22/"}, {"tags": ["vendor-advisory"], "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0002.json"}, {"url": "http://seclists.org/fulldisclosure/2024/May/3"}], "source": {"defect": "MWB-2471", "discovery": "INTERNAL"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23187", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-06T19:20:06.598740Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:open-xchange:ox_app_suite:*:*:*:*:*:*:*:*"], "vendor": "open-xchange", "product": "ox_app_suite", "versions": [{"status": "affected", "version": "*"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:45:41.685Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.012Z"}, "title": "CVE Program Container", "references": [{"tags": ["release-notes", "x_transferred"], "url": "https://documentation.open-xchange.com/appsuite/releases/8.22/"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0002.json"}, {"url": "http://seclists.org/fulldisclosure/2024/May/3", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://documentation.open-xchange.com/appsuite/releases/8.22/", "tags": ["release-notes", "x_transferred"]}, {"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0002.json", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/May/3", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.012Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23187", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-06T19:20:06.598740Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:open-xchange:ox_app_suite:*:*:*:*:*:*:*:*"], "vendor": "open-xchange", "product": "ox_app_suite", "versions": [{"status": "affected", "version": "*"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-06T19:27:24.694Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"source": {"defect": "MWB-2471", "discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Open-Xchange GmbH", "modules": ["backend"], "product": "OX App Suite", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.21"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://documentation.open-xchange.com/appsuite/releases/8.22/", "tags": ["release-notes"]}, {"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0002.json", "tags": ["vendor-advisory"]}, {"url": "http://seclists.org/fulldisclosure/2024/May/3"}], "descriptions": [{"lang": "en", "value": "Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the \"show more\" option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the vulnerability requires user interaction. Please deploy the provided updates and patch releases. CID replacement has been hardened to omit invalid identifiers. No publicly available exploits are known."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2024-05-06T06:36:39.282Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23187", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:59:32.012Z", "dateReserved": "2024-01-12T07:03:12.862Z", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "datePublished": "2024-05-06T06:36:39.282Z", "assignerShortName": "OX"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the \"show more\" option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the vulnerability requires user interaction. Please deploy the provided updates and patch releases. CID replacement has been hardened to omit invalid identifiers. No publicly available exploits are known."}, {"lang": "es", "value": "Se podr\u00eda abusar de la incrustaci\u00f3n de recursos basada en Content-ID en correos electr\u00f3nicos para activar c\u00f3digo de script del lado del cliente cuando se utiliza la opci\u00f3n \"mostrar m\u00e1s\". Los atacantes podr\u00edan realizar solicitudes API maliciosas o extraer informaci\u00f3n de la cuenta del usuario. Explotar la vulnerabilidad requiere la interacci\u00f3n del usuario. Implemente las actualizaciones y lanzamientos de parches proporcionados. El reemplazo de CID se ha reforzado para omitir identificadores no v\u00e1lidos. No se conocen exploits disponibles p\u00fablicamente."}], "id": "CVE-2024-23187", "lastModified": "2024-05-07T01:15:06.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2024-05-06T07:15:06.850", "references": [{"source": "security@open-xchange.com", "url": "http://seclists.org/fulldisclosure/2024/May/3"}, {"source": "security@open-xchange.com", "url": "https://documentation.open-xchange.com/appsuite/releases/8.22/"}, {"source": "security@open-xchange.com", "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0002.json"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@open-xchange.com", "type": "Secondary"}]}