Outlook CIDBased Email Script Injection via Show More
CVE-2024-23187 Published on May 6, 2024
Content-ID based embedding of resources in E-Mails could be abused to trigger client-side script code when using the "show more" option. Attackers could perform malicious API requests or extract information from the users account. Exploiting the vulnerability requires user interaction. Please deploy the provided updates and patch releases. CID replacement has been hardened to omit invalid identifiers. No publicly available exploits are known.
Vulnerability Analysis
CVE-2024-23187 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2024-23187 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2024-23187
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-23187 are published in these products:
Affected Versions
Open-Xchange GmbH OX App Suite:- Before and including 8.21 is affected.
- Version * is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.