CVE-2024-25582

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

M

odule savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules. No publicly available exploits are known.

References

Link	Resource
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0003.json
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6277_7.10.6_2024-05-06.pdf
http://seclists.org/fulldisclosure/2024/Aug/37

Configurations

No configuration.

History

04 Nov 2025, 17:15

Type	Values Removed	Values Added
References		() http://seclists.org/fulldisclosure/2024/Aug/37 -

19 Aug 2024, 12:59

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-19 07:15

Updated : 2025-11-04 17:15

NVD link : CVE-2024-25582

Mitre link : CVE-2024-25582

CVE.ORG link : CVE-2024-25582

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-25582", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2024-08-19T07:15:03.970", "references": [{"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0003.json", "source": "[email protected]"}, {"url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6277_7.10.6_2024-05-06.pdf", "source": "[email protected]"}, {"url": "http://seclists.org/fulldisclosure/2024/Aug/37", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Module savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules. No publicly available exploits are known."}, {"lang": "es", "value": "Se podr\u00eda abusar de los puntos de guardado del m\u00f3dulo para inyectar referencias a c\u00f3digo malicioso entregado a trav\u00e9s del mismo dominio. Los atacantes podr\u00edan realizar solicitudes API maliciosas o extraer informaci\u00f3n de la cuenta del usuario. Explotar esta vulnerabilidad requiere acceso temporal a una cuenta o ingenier\u00eda social exitosa para hacer que un usuario siga un enlace preparado a una cuenta maliciosa. Implemente las actualizaciones y lanzamientos de parches proporcionados. La ruta del m\u00f3dulo de punto de guardado se ha restringido a los m\u00f3dulos que proporcionan la funci\u00f3n, excluyendo cualquier m\u00f3dulo arbitrario o inexistente. No se conocen exploits disponibles p\u00fablicamente."}], "lastModified": "2025-11-04T17:15:46.600", "sourceIdentifier": "[email protected]"}