CVE-2024-23193

E-Mails exported as PDF were stored in a cache that did not consider specific session information for the related user account. Users of the same service node could access other users E-Mails in case they were exported as PDF for a brief moment until caches were cleared. Successful exploitation requires good timing and modification of multiple request parameters. Please deploy the provided updates and patch releases. The cache for PDF exports now takes user session information into consideration when performing authorization decisions. No publicly available exploits are known.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://seclists.org/fulldisclosure/2024/May/3	Mailing List Third Party Advisory
https://documentation.open-xchange.com/appsuite/releases/8.22/	Release Notes
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0002.json	Issue Tracking Vendor Advisory
http://seclists.org/fulldisclosure/2024/May/3	Mailing List Third Party Advisory
https://documentation.open-xchange.com/appsuite/releases/8.22/	Release Notes
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0002.json	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:open-xchange:ox_app_suite:*:*:*:*:*:*:*:*

History

10 Apr 2025, 18:43

Type	Values Removed	Values Added
CPE		cpe:2.3:a:open-xchange:ox_app_suite::::::::
First Time		Open-xchange ox App Suite Open-xchange
CWE		CWE-384
References	~~() http://seclists.org/fulldisclosure/2024/May/3 -~~	() http://seclists.org/fulldisclosure/2024/May/3 - Mailing List, Third Party Advisory
References	~~() https://documentation.open-xchange.com/appsuite/releases/8.22/ -~~	() https://documentation.open-xchange.com/appsuite/releases/8.22/ - Release Notes
References	~~() https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0002.json -~~	() https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0002.json - Issue Tracking, Vendor Advisory

Information

Published : 2024-05-06 07:15

Updated : 2025-04-10 18:43

NVD link : CVE-2024-23193

Mitre link : CVE-2024-23193

CVE.ORG link : CVE-2024-23193

JSON object : View

Products Affected

open-xchange

ox_app_suite

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-384

Session Fixation

5.3 /10