CVE-2024-25582

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-25582
Module savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules. No publicly available exploits are known.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0003.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6277_7.10.6_2024-05-06.pdf
Configurations

No configuration.

History

19 Aug 2024, 12:59

Type Values Removed Values Added
Summary
  • (es) Se podría abusar de los puntos de guardado del módulo para inyectar referencias a código malicioso entregado a través del mismo dominio. Los atacantes podrían realizar solicitudes API maliciosas o extraer información de la cuenta del usuario. Explotar esta vulnerabilidad requiere acceso temporal a una cuenta o ingeniería social exitosa para hacer que un usuario siga un enlace preparado a una cuenta maliciosa. Implemente las actualizaciones y lanzamientos de parches proporcionados. La ruta del módulo de punto de guardado se ha restringido a los módulos que proporcionan la función, excluyendo cualquier módulo arbitrario o inexistente. No se conocen exploits disponibles públicamente.

19 Aug 2024, 08:15

Type Values Removed Values Added
References
  • () https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6277_7.10.6_2024-05-06.pdf -

19 Aug 2024, 07:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-08-19 07:15

Updated : 2024-08-19 12:59

NVD link : CVE-2024-25582

Mitre link : CVE-2024-25582

CVE.ORG link : CVE-2024-25582

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')