CVE-2023-26451
Published: 02 August 2023
Summary
CVE-2023-26451 is a high-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Open-Xchange Open-Xchange Appsuite Backend. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30271
Vulnerability details
Functions with insufficient randomness were used to generate authorization tokens of the integrated oAuth Authorization Service. Authorization codes were predictable for third parties and could be used to intercept and take over the client authorization process. As a result, other…
more
users accounts could be compromised. The oAuth Authorization Service is not enabled by default. We have updated the implementation to use sources with sufficient randomness to generate authorization tokens. No publicly available exploits are known.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Key generation under controlled management uses approved random-bit sources rather than insufficiently random values.