Unrated severityNVD Advisory· Published Jan 8, 2024· Updated Apr 17, 2025

CVE-2023-29049

Description

The "upsell" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. User input for this widget is now sanitized to avoid malicious content the be processed. No publicly available exploits are known.

Affected products

Open-Xchange/Appsuitellm-fuzzy
Range: <=7.10.6
Open-Xchange GmbH/OX App Suitev5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.jsonmitrevendor-advisory
software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdfmitrerelease-notes
packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.htmlmitre
seclists.org/fulldisclosure/2024/Jan/3mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000