{"id":"CVE-2023-29052","details":"Users were able to define disclaimer texts for an upsell shop dialog that would contain script code that was not sanitized correctly. Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. We added sanitization for this content. No publicly available exploits are known.","modified":"2026-04-11T12:45:08.566617Z","published":"2024-01-08T09:15:20.680Z","database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev01:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.10.6-rev01"}]},{"cpe":"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev02:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.10.6-rev02"}]},{"cpe":"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev03:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.10.6-rev03"}]},{"cpe":"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev04:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.10.6-rev04"}]},{"cpe":"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev05:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.10.6-rev05"}]},{"cpe":"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev06:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.10.6-rev06"}]},{"cpe":"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev07:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.10.6-rev07"}]},{"cpe":"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev08:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.10.6-rev08"}]},{"cpe":"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev09:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"last_affected":"7.10.6-rev09"}]}]},"references":[{"type":"WEB","url":"http://seclists.org/fulldisclosure/2024/Jan/4"},{"type":"ADVISORY","url":"https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6251_7.10.6_2023-09-25.pdf"},{"type":"REPORT","url":"https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0006.json"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/open-xchange/appsuite-frontend","events":[{"introduced":"0"},{"last_affected":"489e7d0bf2bb0dc4c984860c4ce6f4d772086875"},{"last_affected":"3bf675812dfb666d3dc1bacfc72ed6ba4f19643f"},{"last_affected":"cda1b78b8fa8d35a1602003a9d90fddef2461694"},{"last_affected":"726dba94c43ad95f10aadd3e6ac2bbe4debf4347"},{"last_affected":"22378bdb996bcf376a5122b6f001c7c7c7b7088b"},{"last_affected":"3390ea1e54eab7c269d5e5f2e6791f36cf1ebff8"},{"last_affected":"281ea2f50a7c2c686d66b51e4c8782f6fa5ce75f"},{"last_affected":"065be8690dd07bd17ab711961085b4350dcbd7e2"},{"last_affected":"41eee98c698de20700aa45222fdefebc86fee3db"},{"last_affected":"4703ef3de5fb9e5c9187a33edfba8867561f2fe2"},{"last_affected":"7bfa5af1d7745d2ec61a8537c56734dc809c2e34"},{"last_affected":"3e8727d4155bd7aa6c1c45fc73e7bae75d6c7792"},{"last_affected":"7478627b8aa3e8da77d9ac54788ebb6e163ebbf0"},{"last_affected":"ea2365c9bde278334ffb54d6b34a1f7ef0a0c884"},{"last_affected":"021e33ad79d579d1aafd21fde5da27ab133bdfd1"},{"last_affected":"26b9f421ce109fdc1b0d62eea79ad394e4f46087"},{"last_affected":"8812d22a3cf1d7865f5e7a73151c0da12094393a"},{"last_affected":"a77b31dd0452e95f1556ef8e05cf66330a3c2821"},{"last_affected":"4952e487347f9b7a66aab46b3da5aaea38faf970"},{"last_affected":"31c26beab22872a14b9ded7908efcae6438be25e"},{"last_affected":"44346efd29f6f2a5bc2880a95ffbe885c86898f2"},{"last_affected":"5c4b1282b0c830f6520e36b13db08d8e6e4f5770"},{"last_affected":"14bae8c27e32a6c2f1a6c1c140c4979d2205a226"},{"last_affected":"6cb2674122511edacac3cc0c9c21069850191043"},{"last_affected":"6f3612650ebd6cd57fafa62d644bc503c07e05bf"},{"last_affected":"722628ce97f9626245edc01f07e7f0b7afb12ae5"}],"database_specific":{"cpe":["cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:-:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev10:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev11:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev12:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev13:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev14:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev15:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev16:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev17:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev18:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev19:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev20:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev21:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev22:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev23:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev24:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev25:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev26:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev27:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev28:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev29:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev30:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev31:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev32:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev33:*:*:*:*:*:*","cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev34:*:*:*:*:*:*"],"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"7.10.6-NA"},{"last_affected":"7.10.6-rev10"},{"last_affected":"7.10.6-rev11"},{"last_affected":"7.10.6-rev12"},{"last_affected":"7.10.6-rev13"},{"last_affected":"7.10.6-rev14"},{"last_affected":"7.10.6-rev15"},{"last_affected":"7.10.6-rev16"},{"last_affected":"7.10.6-rev17"},{"last_affected":"7.10.6-rev18"},{"last_affected":"7.10.6-rev19"},{"last_affected":"7.10.6-rev20"},{"last_affected":"7.10.6-rev21"},{"last_affected":"7.10.6-rev22"},{"last_affected":"7.10.6-rev23"},{"last_affected":"7.10.6-rev24"},{"last_affected":"7.10.6-rev25"},{"last_affected":"7.10.6-rev26"},{"last_affected":"7.10.6-rev27"},{"last_affected":"7.10.6-rev28"},{"last_affected":"7.10.6-rev29"},{"last_affected":"7.10.6-rev30"},{"last_affected":"7.10.6-rev31"},{"last_affected":"7.10.6-rev32"},{"last_affected":"7.10.6-rev33"},{"last_affected":"7.10.6-rev34"}]}}],"versions":["7.10.0-0","7.10.0-2","7.10.3-0","7.10.4-0","7.10.4-1","7.10.5-0","7.10.5-1","7.10.5-2","7.10.6-0","7.10.6-10","7.10.6-11","7.10.6-12","7.10.6-13","7.10.6-14","7.10.6-15","7.10.6-16","7.10.6-17","7.10.6-18","7.10.6-19","7.10.6-20","7.10.6-21","7.10.6-22","7.10.6-23","7.10.6-24","7.10.6-25","7.10.6-26","7.10.6-27","7.10.6-28","7.10.6-29","7.10.6-30","7.10.6-31","7.10.6-32","7.10.6-33","7.10.6-34","7.4.1-6","7.6.2-13","7.6.2-16","7.6.2-18","7.6.2-19","7.6.2-22","7.6.2-23","7.6.2-24","7.8.0-10","7.8.0-11","7.8.0-12","7.8.0-19","7.8.0-7","7.8.0-8","7.8.1-10","7.8.1-11","7.8.1-14","7.8.2-14","7.8.2-16","7.8.2-5","7.8.2-6","7.8.2-7","7.8.2-9","7.8.3-10","7.8.3-9","as-next"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-29052.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}