CVE-2023-26439
Description
The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. Attackers with access to a local or restricted network were able to perform arbitrary SQL queries, discovering other users cached data. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The cacheservice API in OX App Suite is vulnerable to SQL injection, allowing attackers with network access to execute arbitrary SQL queries and access cached data.
Vulnerability
The cacheservice API in OX App Suite suffers from a SQL injection vulnerability due to insufficient sanitization of API parameters. Attackers can inject SQL syntax into API calls, which are then executed against the database. This affects versions prior to the fix released on 2023-08-02 [1].
Exploitation
An attacker with access to a local or restricted network can craft malicious API requests containing SQL syntax. The attacker does not require authentication if the API is exposed, but the description notes access to a local or restricted network is sufficient. The exact steps involve sending a specially crafted request to the cacheservice endpoint [1].
Impact
Successful exploitation allows the attacker to execute arbitrary SQL queries, potentially retrieving cached data from other users. This leads to unauthorized disclosure of sensitive information stored in the cache [1].
Mitigation
The vendor released a fix on 2023-08-02 that improves input validation and filters for malicious content. Users should update to the latest version of OX App Suite. No known public exploits exist as of the publication date [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <7.10.6
- OX Software GmbH/OX App Suitev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.jsonmitrevendor-advisory
- software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdfmitrerelease-notes
- packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.htmlmitre
- seclists.org/fulldisclosure/2023/Aug/8mitre
News mentions
0No linked articles in our index yet.