CVE-2023-26445
Description
Frontend themes are defined by user-controllable jslob settings and could point to a malicious resource which gets processed during login. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the theme value and use a default fallback if no theme matches. No publicly available exploits are known.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A cross-site scripting (XSS) vulnerability in OX App Suite frontend themes allows session hijacking via malicious theme URLs.
Vulnerability
An XSS vulnerability exists in OX App Suite (OXAS) where frontend themes are defined by user-controllable jslob settings. An attacker can set a theme value pointing to a malicious resource, which gets processed during login. Versions prior to the fix are affected. The theme value is now sanitized and falls back to a default if no match is found [1].
Exploitation
To exploit, an attacker needs temporary access to a user's account or must lure a user to a compromised account. The attacker sets a malicious theme via the jslob settings, and when the victim logs in, the malicious resource is processed, executing script code in the victim's browser [1].
Impact
Successful exploitation leads to execution of malicious script code in the victim's context. This can result in session hijacking or triggering unwanted actions via the web interface and API [1].
Mitigation
Oxygen has addressed the issue by sanitizing the theme value and using a default fallback if no theme matches. The fix is included in newer versions. No workarounds are detailed, and there are no known public exploits [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- OX Software GmbH/OX App Suitev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.jsonmitrevendor-advisory
- software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdfmitrerelease-notes
- packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.htmlmitre
- seclists.org/fulldisclosure/2023/Aug/8mitre
News mentions
0No linked articles in our index yet.