CVE-2023-26429

Summary

Control characters were not removed when exporting user feedback content. This allowed attackers to include unexpected content via user feedback and potentially break the exported data structure. We now drop all control characters that are not whitespace character during the export. No publicly available exploits are known.

Affected Software

VendorProductVersion RangeStatus
OX Software GmbHOX App Suite0 <= 7.10.6-rev39affected
OX Software GmbHOX App Suite0 <= 8.10affected

Weaknesses

  • CWE-77: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

ADP Enrichment

CVE Program Container

Additional References

References