7.6.3: Backport of OXUIB-2660 XSS for RSS content using data-attributes
Issue: https://jira.open-xchange.com/browse/OXUIB-2660
- CVSS: 3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- CVSS: 6.1
- CVE: CVE-2024-23192
- CWE: CWE-79
- Exploit Status: No publicly available exploits are known.
- Advisory Vulnerability description: RSS feeds that contain malicious data- attributes could be abused to inject script code to a users browser session when reading compromised RSS feeds or successfully luring users to compromised accounts.
- Advisory Impact description: Attackers could perform malicious API requests or extract information from the users account.
- Advisory Remediation description: Potentially malicious attributes now get removed from external RSS content.
- Bug Bounty ID: YWH-PGM6122-124
- Patch IDs: 6268
- Release Notes URLs: https://documentation.open-xchange.com/appsuite/releases/8.21/ https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6268_7.10.6_2024-02-08.pdf