CVE-2024-23192
Description
RSS feeds that contain malicious data- attributes could be abused to inject script code to a users browser session when reading compromised RSS feeds or successfully luring users to compromised accounts. Attackers could perform malicious API requests or extract information from the users account. Please deploy the provided updates and patch releases. Potentially malicious attributes now get removed from external RSS content. No publicly available exploits are known.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
RSS feeds with malicious data- attributes cause XSS in Open-Xchange App Suite, enabling script injection and unauthorized API requests.
The vulnerability lies in the handling of RSS feeds within Open-Xchange App Suite. Malicious data- attributes can be embedded in RSS content, which are not properly sanitized before rendering. This allows an attacker to inject arbitrary script code into the user's browser session when the feed is read [1][2].
An attacker can exploit this by hosting a compromised RSS feed or tricking a user into accessing a malicious account. No authentication is required beyond user interaction; simply viewing the feed triggers the payload. The attack surface is the RSS reader component in the application.
Successful exploitation leads to script execution in the context of the user's session. The attacker could perform malicious API requests on behalf of the user, exfiltrate sensitive information from their account, or perform other unauthorized actions. The vulnerability is classified as medium severity with a CVSS score of 6.1.
Open-Xchange has released patches in versions 8.22 and 8.21 that remove potentially malicious data- attributes from external RSS content. Users are advised to update to these or later versions. As of publication, no public exploits are known.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- seclists.org/fulldisclosure/2024/Apr/18nvd
- documentation.open-xchange.com/appsuite/releases/8.21/nvd
- documentation.open-xchange.com/appsuite/releases/8.22/nvd
- documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0001.jsonnvd
- software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6268_7.10.6_2024-02-08.pdfnvd
News mentions
0No linked articles in our index yet.