CVE-2024-25582 (GCVE-0-2024-25582)

Vulnerability from cvelistv5 – Published: 2024-08-19 06:59 – Updated: 2025-11-04 16:11
VLAI?
Summary
Module savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules. No publicly available exploits are known.
Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
OX
References
Impacted products
Vendor Product Version
Open-Xchange GmbH OX App Suite Affected: 0 , ≤ 7.10.6-rev42 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-25582",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-19T13:30:47.579319Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T17:56:58.762Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T16:11:22.622Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://seclists.org/fulldisclosure/2024/Aug/37"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "frontend"
          ],
          "product": "OX App Suite",
          "vendor": "Open-Xchange GmbH",
          "versions": [
            {
              "lessThanOrEqual": "7.10.6-rev42",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Module savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules. No publicly available exploits are known."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-19T07:26:52.397Z",
        "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "shortName": "OX"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6277_7.10.6_2024-05-06.pdf"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0003.json"
        }
      ],
      "source": {
        "defect": "OXUIB-2718",
        "discovery": "INTERNAL"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
    "assignerShortName": "OX",
    "cveId": "CVE-2024-25582",
    "datePublished": "2024-08-19T06:59:17.511Z",
    "dateReserved": "2024-02-08T08:15:37.204Z",
    "dateUpdated": "2025-11-04T16:11:22.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Module savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules. No publicly available exploits are known.\"}, {\"lang\": \"es\", \"value\": \"Se podr\\u00eda abusar de los puntos de guardado del m\\u00f3dulo para inyectar referencias a c\\u00f3digo malicioso entregado a trav\\u00e9s del mismo dominio. Los atacantes podr\\u00edan realizar solicitudes API maliciosas o extraer informaci\\u00f3n de la cuenta del usuario. Explotar esta vulnerabilidad requiere acceso temporal a una cuenta o ingenier\\u00eda social exitosa para hacer que un usuario siga un enlace preparado a una cuenta maliciosa. Implemente las actualizaciones y lanzamientos de parches proporcionados. La ruta del m\\u00f3dulo de punto de guardado se ha restringido a los m\\u00f3dulos que proporcionan la funci\\u00f3n, excluyendo cualquier m\\u00f3dulo arbitrario o inexistente. No se conocen exploits disponibles p\\u00fablicamente.\"}]",
      "id": "CVE-2024-25582",
      "lastModified": "2024-08-19T12:59:59.177",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security@open-xchange.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}]}",
      "published": "2024-08-19T07:15:03.970",
      "references": "[{\"url\": \"https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0003.json\", \"source\": \"security@open-xchange.com\"}, {\"url\": \"https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6277_7.10.6_2024-05-06.pdf\", \"source\": \"security@open-xchange.com\"}]",
      "sourceIdentifier": "security@open-xchange.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security@open-xchange.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-25582\",\"sourceIdentifier\":\"security@open-xchange.com\",\"published\":\"2024-08-19T07:15:03.970\",\"lastModified\":\"2025-11-04T17:15:46.600\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Module savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules. No publicly available exploits are known.\"},{\"lang\":\"es\",\"value\":\"Se podr\u00eda abusar de los puntos de guardado del m\u00f3dulo para inyectar referencias a c\u00f3digo malicioso entregado a trav\u00e9s del mismo dominio. Los atacantes podr\u00edan realizar solicitudes API maliciosas o extraer informaci\u00f3n de la cuenta del usuario. Explotar esta vulnerabilidad requiere acceso temporal a una cuenta o ingenier\u00eda social exitosa para hacer que un usuario siga un enlace preparado a una cuenta maliciosa. Implemente las actualizaciones y lanzamientos de parches proporcionados. La ruta del m\u00f3dulo de punto de guardado se ha restringido a los m\u00f3dulos que proporcionan la funci\u00f3n, excluyendo cualquier m\u00f3dulo arbitrario o inexistente. No se conocen exploits disponibles p\u00fablicamente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@open-xchange.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security@open-xchange.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0003.json\",\"source\":\"security@open-xchange.com\"},{\"url\":\"https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6277_7.10.6_2024-05-06.pdf\",\"source\":\"security@open-xchange.com\"},{\"url\":\"http://seclists.org/fulldisclosure/2024/Aug/37\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://seclists.org/fulldisclosure/2024/Aug/37\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-04T16:11:22.622Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-25582\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-19T13:30:47.579319Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-03T17:56:55.713Z\"}}], \"cna\": {\"source\": {\"defect\": \"OXUIB-2718\", \"discovery\": \"INTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Open-Xchange GmbH\", \"modules\": [\"frontend\"], \"product\": \"OX App Suite\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"7.10.6-rev42\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6277_7.10.6_2024-05-06.pdf\", \"tags\": [\"release-notes\"]}, {\"url\": \"https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0003.json\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Module savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules. No publicly available exploits are known.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"cwe\", \"cweId\": \"CWE-79\", \"description\": \"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"8ce71d90-2354-404b-a86e-bec2cc4e6981\", \"shortName\": \"OX\", \"dateUpdated\": \"2024-08-19T07:26:52.397Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-25582\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-04T16:11:22.622Z\", \"dateReserved\": \"2024-02-08T08:15:37.204Z\", \"assignerOrgId\": \"8ce71d90-2354-404b-a86e-bec2cc4e6981\", \"datePublished\": \"2024-08-19T06:59:17.511Z\", \"assignerShortName\": \"OX\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.