CVE-2024-23189
Description
Embedded content references at tasks could be used to temporarily execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to the users account, access to another account within the same context or an successful social engineering attack to make users import external content. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. Sanitization of user-generated content has been improved. No publicly available exploits are known.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-23189 is a stored XSS vulnerability in Open-Xchange App Suite that allows attackers to inject script code via embedded content references, leading to potential API abuse or data theft.
Vulnerability
Overview CVE-2024-23189 is a stored cross-site scripting (XSS) vulnerability affecting Open-Xchange App Suite. The flaw exists in the handling of embedded content references within tasks. Due to improper sanitization of user-generated content, an attacker can inject malicious script code that executes in the context of the victim's browser session [2].
Exploitation
Conditions To exploit this vulnerability, an attacker must have temporary access to the victim's account, access to another account within the same context, or successfully trick the user into importing external content via social engineering [2]. Once the malicious content is processed, the script executes when the victim views the crafted task.
Impact
Upon successful exploitation, an attacker can perform malicious API requests on behalf of the user or extract sensitive information from the user's account, including potentially credentials or personal data [2]. The CVSS v3 base score is 5.4 (Medium), and the vulnerability is exploited with low complexity and low privileges required.
Mitigation
The vendor has released updates in App Suite 8.22 and 8.21, which improve sanitization of user-generated content [1][2]. Users are advised to deploy the provided patches. As of the advisory date, no publicly available exploits are known, but unpatched instances remain at risk.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <8.21
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- seclists.org/fulldisclosure/2024/Apr/18nvd
- documentation.open-xchange.com/appsuite/releases/8.21/nvd
- documentation.open-xchange.com/appsuite/releases/8.22/nvd
- documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0001.jsonnvd
- software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6268_7.10.6_2024-02-08.pdfnvd
News mentions
0No linked articles in our index yet.