Unrated severityNVD Advisory· Published Aug 2, 2023· Updated Dec 3, 2024

CVE-2023-26442

Description

In case Cacheservice was configured to use a sproxyd object-storage backend, it would follow HTTP redirects issued by that backend. An attacker with access to a local or restricted network with the capability to intercept and replay HTTP requests to sproxyd (or who is in control of the sproxyd service) could perform a server-side request-forgery attack and make Cacheservice connect to unexpected resources. We have disabled the ability to follow HTTP redirects when connecting to sproxyd resources. No publicly available exploits are known.

Affected products

Open-Xchange/Appsuitellm-fuzzy
Range: < 7.10.6 Patch Release 6230 (2023-05-02)
OX Software GmbH/OX App Suitev5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.jsonmitrevendor-advisory
software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdfmitrerelease-notes
packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.htmlmitre
seclists.org/fulldisclosure/2023/Aug/8mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000