CVE-2024-23188

Root

Cause CVE-2024-23189 is a cross-site scripting (XSS) vulnerability in OX App Suite. The software failed to properly sanitize email attachment names when embedding them in the web interface. A maliciously crafted attachment name could be stored and later rendered without safe handling, leading to script injection in the user's browser session [1].

Exploitation

An attacker must send an email with a specially crafted attachment name to a target user. The user must then view the attachment details within the OX App Suite web interface. No special network position or prior authentication is needed for the attacker beyond sending the email; the vulnerability triggers when the victim interacts with the message. The official advisory notes that common user interaction is required for the exploit to succeed [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser context. This can be used to perform malicious API requests on behalf of the user, extract sensitive information from the user's account, or perform other actions within the same session. The vulnerability is rated Medium (CVSS 6.5) and no public exploits are known at the time of disclosure [1].

Mitigation

The vendor has released a fix in OX App Suite version 8.22, which uses safer methods for handling external content when embedding attachment information. Users are advised to deploy the provided updates and patch releases. No workarounds or known exploitation in the wild have been reported [1].