OX App Suite: OXMF Template Feature Exposes Limited Internal Java API Access
CVE-2023-29051 Published on January 8, 2024
User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects related to other users and contexts. We now make sure that the switch to disable user-generated templates by default works as intended and will remove the feature in future generations of the product. No publicly available exploits are known.
Vulnerability Analysis
CVE-2023-29051 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2023-29051 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2023-29051
Want to know whenever a new CVE is published for Open Xchange Ox App Suite? stack.watch will email you.
Affected Versions
Open-Xchange GmbH OX App Suite:- Before and including 7.10.6-rev51 is affected.
- Before and including 8.17 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.