CVE-2023-26455 MEDIUM

CVE-2023-26455

Vendor Ox Software Gmbh
Product OX App Suite
Weakness CWE-287 · Improper authentication
Published November 2, 2023
Last update August 2, 2024

CVSS base score

5.6/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer. Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default. The interface has been updated to require authenticated requests. No publicly available exploits are known.

Key dates

02Disclosure timeline

November 2, 2023 CVE published
August 2, 2024 Record updated