CVE-2023-26446
Description
The users clientID at "application passwords" was not sanitized or escaped before being added to DOM. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize the user-controllable clientID parameter. No publicly available exploits are known.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OX App Suite stored XSS via unsanitized clientID in application passwords allows session hijacking.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in OX App Suite (all versions prior to the fix) in the "application passwords" feature. The clientID parameter, controllable by the user, is not sanitized or escaped before being added to the DOM. This allows injection of arbitrary script code [1].
Exploitation
An attacker requires temporary access to the victim's account or must lure the victim to a compromised account. The attacker sets a malicious clientID value, which is then stored and rendered unsanitized in the victim's browser when viewing application passwords [1].
Impact
Successful exploitation leads to execution of attacker-controlled script in the victim's browser context. This can result in session hijacking, unauthorized actions via the web interface and API, disclosure of sensitive information, or further compromise of the OX App Suite instance [1].
Mitigation
The vendor has released a fix that sanitizes the user-controllable clientID parameter. Users should update OX App Suite to the latest patched version. No publicly available exploits are known [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <7.10.6 patch 6230
- OX Software GmbH/OX App Suitev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.jsonmitrevendor-advisory
- software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdfmitrerelease-notes
- packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.htmlmitre
- seclists.org/fulldisclosure/2023/Aug/8mitre
News mentions
0No linked articles in our index yet.