CVE-2023-29048
Description
A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user. Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources. The template engine has been reconfigured to deny execution of harmful commands on a system level. No publicly available exploits are known.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A template parsing flaw in OX App Suite allows authenticated users to execute arbitrary system commands as the non-privileged runtime user, leading to information disclosure and integrity violation.
Vulnerability
The vulnerability resides in the OXMF template parsing component of OX App Suite. It allows injection of arbitrary system commands that are executed as the non-privileged runtime user. Affected versions include OX App Suite 7.10.6 and possibly earlier. The template engine was reconfigured to deny execution of harmful commands. [1]
Exploitation
An attacker needs to be an authenticated user with the ability to upload or modify OXMF templates. The attacker crafts a malicious template containing system commands. When the template is parsed, the commands execute. No user interaction beyond the attacker's own actions is required. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary system commands with the privileges of the runtime user. This can lead to unauthorized access to confidential information and modification of resources, violating confidentiality and integrity. [1]
Mitigation
The vendor has reconfigured the template engine to deny execution of harmful commands. The fix is included in OX App Suite updates. Users should upgrade to the latest version. No workarounds are mentioned. No known public exploits. [1]
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <7.10.6 (or fixed in Patch Release 6248)
- Open-Xchange GmbH/OX App Suitev5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.jsonmitrevendor-advisory
- software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdfmitrerelease-notes
- packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.htmlmitre
- seclists.org/fulldisclosure/2024/Jan/3mitre
News mentions
0No linked articles in our index yet.