CVE-2023-26448
Description
Custom log-in and log-out locations are used-defined as jslob but were not checked to contain malicious protocol handlers. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We now sanitize jslob content for those locations to avoid redirects to malicious content. No publicly available exploits are known.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Custom login/logout locations in OX App Suite allow XSS via malicious protocol handlers, enabling session hijacking or unwanted actions.
Vulnerability
The vulnerability resides in custom log-in and log-out locations in OX App Suite. These locations are user-defined as jslob but were not sanitized for malicious protocol handlers. An attacker can inject malicious script code that executes in the victim's context. Affected versions are not explicitly listed in the description, but the fix was applied in a security update. [1]
Exploitation
To exploit, an attacker requires temporary access to the user's account or must lure a user to a compromised account. The attacker defines a custom login/logout location containing a malicious protocol handler (e.g., javascript:). When the victim accesses that location, the script executes. No publicly available exploits are known. [1]
Impact
Successful exploitation allows execution of arbitrary script code in the victim's browser within the OX App Suite context. This can lead to session hijacking, unauthorized actions via the web interface and API, and potential data compromise. [1]
Mitigation
The vendor has sanitized jslob content for those locations to prevent redirects to malicious content. Users should update to the latest version of OX App Suite that includes this fix. No workarounds are mentioned. The vulnerability is not listed on CISA's KEV. [1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=7.10.6 Patch Release 6230
- OX Software GmbH/OX App Suitev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.jsonmitrevendor-advisory
- software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdfmitrerelease-notes
- packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.htmlmitre
- seclists.org/fulldisclosure/2023/Aug/8mitre
News mentions
0No linked articles in our index yet.