Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-29050

The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service. Encoding has been added for user-provided fragments that are used when constructing the LDAP query. No publicly available exploits are known.

Published

2024-01-08T09:15:20.300

Last Modified

2024-11-21T07:56:27.090

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.6 (HIGH)

Weaknesses

Type: Secondary
CWE-90
Type: Primary
CWE-74

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	open-xchange	ox_app_suite	< 7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	7.10.6	Yes
Application	open-xchange	ox_app_suite	8.16	Yes

References

http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html Third Party Advisory, VDB Entry ([email protected])
http://seclists.org/fulldisclosure/2024/Jan/3 Mailing List, Third Party Advisory ([email protected])
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json Issue Tracking ([email protected])
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf Release Notes ([email protected])
http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2024/Jan/3 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf Release Notes (af854a3a-2127-422b-91ae-364da2661108)