OXAS-ADV-2022-0001
Metadata
- Document type: OX App Suite Security Advisory
- Publisher: Open-Xchange GmbH
- Publication Date: 2022-08-10
- Current version: 3
- Version status: Final
- Aggregate severity: Medium
References
Vulnerabilities
CVE-2022-31469: Bypass for E-Mail "deep links"
- CVE reference: CVE-2022-31469
- Internal reference: OXUIB-1654
- CWE: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
- Discovery date: 2022-05-23
The detection mechanism for "deep links" in E-Mail (e.g. pointing to OX Drive) allows to inject references to arbitrary fake applications. This can be used to request unexpected content, potentially including script code, when those links are used.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.5-rev36 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite frontend 7.10.6-rev15 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
Threats
Impact
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2022-08-02)
For products
- OX App Suite frontend 7.10.5-rev37
- OX App Suite frontend 7.10.6-rev16
Please deploy the provided updates and patch releases. We improved deep-link validation to avoid malicious use.
CVE-2022-37307: XSS sanitization bypass for HTML snippets
- CVE reference: CVE-2022-37307
- Internal reference: OXUIB-1678
- CWE: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
- Discovery date: 2022-05-30
Certain content like E-Mail signatures are stored using the "snippets" mechanism. This mechanism contains a weakness that allows to inject seemingly benign HTML content, like XHTML CDATA constructs, that will be sanitized to malicious code. Once such code is in place it can be used for persistent access to the users account.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.5-rev36 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite frontend 7.10.6-rev15 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite frontend 8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
Threats
Impact
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or temporary access to the users account.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2024-01-18)
For products
- OX App Suite frontend 7.10.5-rev37
- OX App Suite frontend 7.10.6-rev16
- OX App Suite frontend 8.3
Please deploy the provided updates and patch releases. We improved the sanitizing algorithm to deal with disguised code.
CVE-2022-37308: XSS with print templates when using plain-text mail
- CVE reference: CVE-2022-37308
- Internal reference: OXUIB-1731
- CWE: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
- Discovery date: 2022-06-22
Plain-text mail that contains HTML code can be used to inject script code when printing E-Mail.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.5-rev36 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite frontend 7.10.6-rev15 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite frontend 8.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
Threats
Impact
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need to make the victim print a malicious E-Mail.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2022-08-02)
For products
- OX App Suite frontend 7.10.5-rev37
- OX App Suite frontend 7.10.6-rev16
- OX App Suite frontend 8.4
Please deploy the provided updates and patch releases. We removed text-mode specific code and use existing sanitization mechanisms for HTML content.
CVE-2022-37309: XSS at address picker when not using "fullname"
- CVE reference: CVE-2022-37309
- Internal reference: OXUIB-1732
- CWE: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
- Discovery date: 2022-06-22
Contacts that do not contain a name but only a e-mail address can be used to inject script code to the "contact picker" component, commonly used to select contacts as recipients or participants.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.5-rev36 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite frontend 7.10.6-rev15 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite frontend 8.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
Threats
Impact
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or make the victim import malicious contact data.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2022-08-02)
For products
- OX App Suite frontend 7.10.5-rev37
- OX App Suite frontend 7.10.6-rev16
- OX App Suite frontend 8.4
Please deploy the provided updates and patch releases. We now apply proper HTML escaping to all relevant data sets.
CVE-2022-37310: XSS using "capabilities" evaluation and checks
- CVE reference: CVE-2022-37310
- Internal reference: OXUIB-1785
- CWE: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
- Discovery date: 2022-07-20
The metrics and help modules use parts of the URL to determine capabilities. This mechanism suffers from a weakness that allows attackers to use special characters that register malicious capabilities, which will be executed as script code after login.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.5-rev36 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite frontend 7.10.6-rev15 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite frontend 7.6.3-rev50 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite frontend 8.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
Threats
Impact
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink to its App Suite instance and login. While the "metrics" module is optional, the "help" module is available on all instances.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2022-08-02)
For products
- OX App Suite frontend 7.10.5-rev37
- OX App Suite frontend 7.10.6-rev16
- OX App Suite frontend 7.6.3-rev51
- OX App Suite frontend 8.4
Please deploy the provided updates and patch releases. We sanitized any non-parsable characters from the capabilities input.
CVE-2022-37313: SSRF due to multiple DNS records per domain
- CVE reference: CVE-2022-37313
- Internal reference: MWB-1712
- CWE: CWE-918 (Server-Side Request Forgery (SSRF))
- Discovery date: 2022-07-14
Deny-lists regarding external connections can be bypassed by using malicious DNS records with more than one A or AAAA response.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.5-rev46 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5.0 |
| OX App Suite backend 7.10.6-rev21 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5.0 |
| OX App Suite backend 7.6.3-rev65 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5.0 |
| OX App Suite backend 8.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5.0 |
Threats
Impact
Server-initiated requests to external resources (e.g. E-Mail accounts, data feeds) can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2022-08-02)
For products
- OX App Suite backend 7.10.5-rev47
- OX App Suite backend 7.10.6-rev22
- OX App Suite backend 7.6.3-rev66
- OX App Suite backend 8.4
Please deploy the provided updates and patch releases. We improved the analysis of DNS responses and check all available records against deny-list entries.
CVE-2022-37312: DoS via unchecked "deferrer" servlet parameters
- CVE reference: CVE-2022-37312
- Internal reference: MWB-1713
- CWE: CWE-400 (Uncontrolled Resource Consumption)
- Discovery date: 2022-07-14
The size of the request body for certain API endpoints were not sufficiently checked for plausible sizes.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.5-rev46 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 5.3 |
| OX App Suite backend 7.10.6-rev21 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 5.3 |
| OX App Suite backend 7.6.3-rev65 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 5.3 |
| OX App Suite backend 8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 5.3 |
Threats
Impact
Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2022-08-02)
For products
- OX App Suite backend 7.10.5-rev47
- OX App Suite backend 7.10.6-rev22
- OX App Suite backend 7.6.3-rev66
- OX App Suite backend 8.3
Please deploy the provided updates and patch releases. We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage.
CVE-2022-37311: DoS via unchecked "redirect" servlet parameters
- CVE reference: CVE-2022-37311
- Internal reference: MWB-1714
- CWE: CWE-400 (Uncontrolled Resource Consumption)
- Discovery date: 2022-07-14
The size of the request parameters for certain API endpoints were not sufficiently checked for plausible sizes.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.5-rev46 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 5.3 |
| OX App Suite backend 7.10.6-rev21 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 5.3 |
| OX App Suite backend 7.6.3-rev65 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 5.3 |
Threats
Impact
Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2022-08-02)
For products
- OX App Suite backend 7.10.5-rev47
- OX App Suite backend 7.10.6-rev22
- OX App Suite backend 7.6.3-rev66
Please deploy the provided updates and patch releases. We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage.