CVE-2023-29049 Information

Description

The �psell\ widget at the portal page could be abused to inject arbitrary script code. Attackers that manage to lure users to a compromised account or gain temporary access to a legitimate account could inject script code to gain persistent code execution capabilities under a trusted domain. User input for this widget is now sanitized to avoid malicious content the be processed. No publicly available exploits are known.

Reference

https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf https://documentation.open-xchange.com/security/advisories/csaf/oxas-adv-2023-0005.json http://seclists.org/fulldisclosure/2024/Jan/3