CVE-2023-26436 HIGH

CVE-2023-26436

Vendor Ox Software Gmbh
Product OX App Suite
Weakness CWE-94 · Code injection
Published June 20, 2023
Last update August 2, 2024

CVSS base score

7.1/10
Attack vector Physical
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Attackers with access to the "documentconverterws" API were able to inject serialized Java objects, that were not properly checked during deserialization. Access to this API endpoint is restricted to local networks by default. Arbitrary code could be injected that is being executed when processing the request. A check has been introduced to restrict processing of legal and expected classes for this API. We now log a warning in case there are attempts to inject illegal classes. No publicly available exploits are known.

Key dates

02Disclosure timeline

June 20, 2023 CVE published
August 2, 2024 Record updated