CVE-2024-23192

RSS feeds that contain malicious data- attributes could be abused to inject script code to a users browser session when reading compromised RSS feeds or successfully luring users to compromised accounts. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. Potentially malicious attributes now get removed from external RSS content. No publicly available exploits are known.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://documentation.open-xchange.com/appsuite/releases/8.21/
https://documentation.open-xchange.com/appsuite/releases/8.22/
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0001.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6268_7.10.6_2024-02-08.pdf
http://seclists.org/fulldisclosure/2024/Apr/18
https://documentation.open-xchange.com/appsuite/releases/8.21/
https://documentation.open-xchange.com/appsuite/releases/8.22/
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0001.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6268_7.10.6_2024-02-08.pdf

Configurations

No configuration.

History

04 Nov 2025, 19:16

Type	Values Removed	Values Added
References		() http://seclists.org/fulldisclosure/2024/Apr/18 -

Information

Published : 2024-04-08 09:15

Updated : 2025-11-04 19:16

NVD link : CVE-2024-23192

Mitre link : CVE-2024-23192

CVE.ORG link : CVE-2024-23192

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-23192", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@open-xchange.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-04-08T09:15:09.990", "references": [{"url": "https://documentation.open-xchange.com/appsuite/releases/8.21/", "source": "security@open-xchange.com"}, {"url": "https://documentation.open-xchange.com/appsuite/releases/8.22/", "source": "security@open-xchange.com"}, {"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0001.json", "source": "security@open-xchange.com"}, {"url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6268_7.10.6_2024-02-08.pdf", "source": "security@open-xchange.com"}, {"url": "http://seclists.org/fulldisclosure/2024/Apr/18", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://documentation.open-xchange.com/appsuite/releases/8.21/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://documentation.open-xchange.com/appsuite/releases/8.22/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0001.json", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6268_7.10.6_2024-02-08.pdf", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@open-xchange.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "RSS feeds that contain malicious data- attributes could be abused to inject script code to a users browser session when reading compromised RSS feeds or successfully luring users to compromised accounts. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. Potentially malicious attributes now get removed from external RSS content. No publicly available exploits are known."}, {"lang": "es", "value": "Se podr\u00eda abusar de los canales RSS que contienen atributos de datos maliciosos para inyectar c\u00f3digo de secuencia de comandos en la sesi\u00f3n del navegador de un usuario cuando se leen canales RSS comprometidos o se atrae con \u00e9xito a los usuarios a cuentas comprometidas. Los atacantes podr\u00edan realizar solicitudes API maliciosas o extraer informaci\u00f3n de la cuenta del usuario. Implemente las actualizaciones y lanzamientos de parches proporcionados. Los atributos potencialmente maliciosos ahora se eliminan del contenido RSS externo. No se conocen exploits disponibles p\u00fablicamente."}], "lastModified": "2025-11-04T19:16:33.843", "sourceIdentifier": "security@open-xchange.com"}