CVE-2024-23191
Description
Upsell advertisement information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. Sanitization of user-defined upsell content has been improved. No publicly available exploits are known.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XSS vulnerability in OX App Suite's upsell ads allows script execution; fixed in version 8.22.
Vulnerability
Description CVE-2024-23191 is a stored cross-site scripting (XSS) vulnerability in OX App Suite's upsell advertisement functionality. The root cause is insufficient sanitization of user-defined upsell content, allowing an attacker to inject malicious script code that executes in the context of the victim's browser session.
Exploitation
To exploit this vulnerability, an attacker requires temporary access to a user's account or must lure the user via social engineering to a maliciously configured account. No additional authentication is needed because the attack executes within the authenticated session of the user who views the manipulated upsell ad.
Impact
Successful exploitation enables the attacker to perform malicious API requests on behalf of the victim or extract sensitive information from the user's account, potentially compromising account integrity and data confidentiality.
Mitigation
Open-Xchange has addressed this vulnerability in App Suite version 8.22 by improving sanitization of upsell content [1]. Users are advised to deploy the provided updates. As of the publication date, no publicly available exploits are known.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=8.22
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- seclists.org/fulldisclosure/2024/Apr/18nvd
- documentation.open-xchange.com/appsuite/releases/8.21/nvd
- documentation.open-xchange.com/appsuite/releases/8.22/nvd
- documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0001.jsonnvd
- software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6268_7.10.6_2024-02-08.pdfnvd
News mentions
0No linked articles in our index yet.