VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 12, 2021· Updated Aug 4, 2024

CVE-2020-24701

CVE-2020-24701

Description

OX App Suite through 7.10.4 allows XSS via the app loading mechanism (the PATH_INFO to the /appsuite URI).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OX App Suite through 7.10.4 has a reflected XSS vulnerability in the app loading mechanism via PATH_INFO to the /appsuite URI.

Vulnerability

The app loading mechanism in OX App Suite through version 7.10.4 does not properly sanitize user input passed via PATH_INFO to the /appsuite URI, allowing an attacker to inject arbitrary JavaScript code [1]. The issue is present in all versions up to and including 7.10.4.

Exploitation

An attacker can craft a malicious URL containing the payload in the PATH_INFO segment. When a victim accesses this URL, the injected script executes in the context of the victim's session. No authentication is required to trigger the vulnerability; the victim only needs to visit the crafted link.

Impact

Successful exploitation results in Cross-Site Scripting (XSS), which can lead to session theft, data exfiltration, or unauthorized actions on behalf of the victim. The attacker can perform any action the victim can within the OX App Suite environment.

Mitigation

The vendor has released a fix in version 7.10.5 [1]. Users should upgrade to the latest version. No workarounds have been publicly disclosed. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. Home | Open-Xchange

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.