{"id":"CVE-2023-29049","details":"The \"upsell\" widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain. User input for this widget is now sanitized to avoid malicious content the be processed. No publicly available exploits are known.\n\n","modified":"2026-04-10T04:57:04.506071Z","published":"2024-01-08T09:15:20.120Z","references":[{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/176421/OX-App-Suite-7.10.6-XSS-Command-Execution-LDAP-Injection.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2024/Jan/3"},{"type":"ADVISORY","url":"https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf"},{"type":"REPORT","url":"https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/open-xchange/appsuite-frontend","events":[{"introduced":"0"},{"fixed":"489e7d0bf2bb0dc4c984860c4ce6f4d772086875"},{"introduced":"0"},{"last_affected":"489e7d0bf2bb0dc4c984860c4ce6f4d772086875"},{"introduced":"0"},{"last_affected":"3bf675812dfb666d3dc1bacfc72ed6ba4f19643f"},{"introduced":"0"},{"last_affected":"cda1b78b8fa8d35a1602003a9d90fddef2461694"},{"introduced":"0"},{"last_affected":"726dba94c43ad95f10aadd3e6ac2bbe4debf4347"},{"introduced":"0"},{"last_affected":"22378bdb996bcf376a5122b6f001c7c7c7b7088b"},{"introduced":"0"},{"last_affected":"3390ea1e54eab7c269d5e5f2e6791f36cf1ebff8"},{"introduced":"0"},{"last_affected":"281ea2f50a7c2c686d66b51e4c8782f6fa5ce75f"},{"introduced":"0"},{"last_affected":"065be8690dd07bd17ab711961085b4350dcbd7e2"},{"introduced":"0"},{"last_affected":"41eee98c698de20700aa45222fdefebc86fee3db"},{"introduced":"0"},{"last_affected":"4703ef3de5fb9e5c9187a33edfba8867561f2fe2"},{"introduced":"0"},{"last_affected":"7bfa5af1d7745d2ec61a8537c56734dc809c2e34"},{"introduced":"0"},{"last_affected":"3e8727d4155bd7aa6c1c45fc73e7bae75d6c7792"},{"introduced":"0"},{"last_affected":"7478627b8aa3e8da77d9ac54788ebb6e163ebbf0"},{"introduced":"0"},{"last_affected":"ea2365c9bde278334ffb54d6b34a1f7ef0a0c884"},{"introduced":"0"},{"last_affected":"021e33ad79d579d1aafd21fde5da27ab133bdfd1"},{"introduced":"0"},{"last_affected":"26b9f421ce109fdc1b0d62eea79ad394e4f46087"},{"introduced":"0"},{"last_affected":"8812d22a3cf1d7865f5e7a73151c0da12094393a"},{"introduced":"0"},{"last_affected":"a77b31dd0452e95f1556ef8e05cf66330a3c2821"},{"introduced":"0"},{"last_affected":"4952e487347f9b7a66aab46b3da5aaea38faf970"},{"introduced":"0"},{"last_affected":"31c26beab22872a14b9ded7908efcae6438be25e"},{"introduced":"0"},{"last_affected":"44346efd29f6f2a5bc2880a95ffbe885c86898f2"},{"introduced":"0"},{"last_affected":"5c4b1282b0c830f6520e36b13db08d8e6e4f5770"},{"introduced":"0"},{"last_affected":"14bae8c27e32a6c2f1a6c1c140c4979d2205a226"},{"introduced":"0"},{"last_affected":"6cb2674122511edacac3cc0c9c21069850191043"},{"introduced":"0"},{"last_affected":"6f3612650ebd6cd57fafa62d644bc503c07e05bf"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.10.6"},{"introduced":"0"},{"last_affected":"7.10.6-NA"},{"introduced":"0"},{"last_affected":"7.10.6-rev10"},{"introduced":"0"},{"last_affected":"7.10.6-rev11"},{"introduced":"0"},{"last_affected":"7.10.6-rev12"},{"introduced":"0"},{"last_affected":"7.10.6-rev13"},{"introduced":"0"},{"last_affected":"7.10.6-rev14"},{"introduced":"0"},{"last_affected":"7.10.6-rev15"},{"introduced":"0"},{"last_affected":"7.10.6-rev16"},{"introduced":"0"},{"last_affected":"7.10.6-rev17"},{"introduced":"0"},{"last_affected":"7.10.6-rev18"},{"introduced":"0"},{"last_affected":"7.10.6-rev19"},{"introduced":"0"},{"last_affected":"7.10.6-rev20"},{"introduced":"0"},{"last_affected":"7.10.6-rev21"},{"introduced":"0"},{"last_affected":"7.10.6-rev22"},{"introduced":"0"},{"last_affected":"7.10.6-rev23"},{"introduced":"0"},{"last_affected":"7.10.6-rev24"},{"introduced":"0"},{"last_affected":"7.10.6-rev25"},{"introduced":"0"},{"last_affected":"7.10.6-rev26"},{"introduced":"0"},{"last_affected":"7.10.6-rev27"},{"introduced":"0"},{"last_affected":"7.10.6-rev28"},{"introduced":"0"},{"last_affected":"7.10.6-rev29"},{"introduced":"0"},{"last_affected":"7.10.6-rev30"},{"introduced":"0"},{"last_affected":"7.10.6-rev31"},{"introduced":"0"},{"last_affected":"7.10.6-rev32"},{"introduced":"0"},{"last_affected":"7.10.6-rev33"}]}}],"versions":["7.10.0-0","7.10.0-2","7.10.3-0","7.10.4-0","7.10.4-1","7.10.5-0","7.10.5-1","7.10.5-2","7.10.6-0","7.10.6-10","7.10.6-11","7.10.6-12","7.10.6-13","7.10.6-14","7.10.6-15","7.10.6-16","7.10.6-17","7.10.6-18","7.10.6-19","7.10.6-20","7.10.6-21","7.10.6-22","7.10.6-23","7.10.6-24","7.10.6-25","7.10.6-26","7.10.6-27","7.10.6-28","7.10.6-29","7.10.6-30","7.10.6-31","7.10.6-32","7.10.6-33","7.4.1-6","7.6.2-13","7.6.2-16","7.6.2-18","7.6.2-19","7.6.2-22","7.6.2-23","7.6.2-24","7.8.0-10","7.8.0-11","7.8.0-12","7.8.0-19","7.8.0-7","7.8.0-8","7.8.1-10","7.8.1-11","7.8.1-14","7.8.2-14","7.8.2-16","7.8.2-5","7.8.2-6","7.8.2-7","7.8.2-9","7.8.3-10","7.8.3-9","as-next"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.10.6-rev01"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-rev02"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-rev03"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-rev04"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-rev05"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-rev06"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-rev07"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-rev08"}]},{"events":[{"introduced":"0"},{"last_affected":"7.10.6-rev09"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-29049.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}