OXAS-ADV-2022-0002
Metadata
- Document type: OX App Suite Security Advisory
- Publisher: Open-Xchange GmbH
- Publication Date: 2022-11-02
- Current version: 3
- Version status: Final
- Aggregate severity: Critical
References
Vulnerabilities
CVE-2022-37306: XSS using "upsell" triggers
- CVE reference: CVE-2022-37306
- Internal reference: OXUIB-1795
- CWE: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
- Discovery date: 2022-07-29
Non-alphanumeric content can be injected by the user as JS content for the "upsell" module. As a result, the code will be executed during subsequent logins and opening the "Portal" application, enabling a persistent cross-site scripting attack vector.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.5-rev50 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite frontend 7.10.6-rev19 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite frontend 8.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
Threats
Impact
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2022-10-21)
For products
- OX App Suite frontend 7.10.5-rev51
- OX App Suite frontend 7.10.6-rev20
- OX App Suite frontend 8.5
Please deploy the provided updates and patch releases. We improved the allow-list sanitizing algorithm to deal with non-alphanumeric code.
CVE-2022-43696: XSS using "upsell ads"
- CVE reference: CVE-2022-43696
- Internal reference: OXUIB-1933
- CWE: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
- Discovery date: 2022-09-26
HTML content can be injected by the user as JS content for the "upsell ads" module. As a result, the code will be executed during subsequent logins and opening the "Portal" application, enabling a persistent cross-site scripting attack vector.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.5-rev50 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite frontend 7.10.6-rev19 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite frontend 7.6.3-rev50 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
Threats
Impact
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2022-10-21)
For products
- OX App Suite frontend 7.10.5-rev51
- OX App Suite frontend 7.10.6-rev20
- OX App Suite frontend 7.6.3-rev51
Please deploy the provided updates and patch releases. We improved the sanitization process for upsell ads.
CVE-2022-43697: "Tracking" features can be used to inject arbitrary script code
- CVE reference: CVE-2022-43697
- Internal reference: MWB-1784
- CWE: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
- Discovery date: 2022-08-16
In case activity tracking adapters are enabled but not defined, users can use jslob to define own tracking settings for an account. This allows adding arbitrary values to trigger a specific URL or load a library.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.5-rev50 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite backend 7.10.6-rev29 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite backend 8.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
Threats
Impact
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2022-10-25)
For products
- OX App Suite backend 7.10.5-rev51
- OX App Suite backend 7.10.6-rev30
- OX App Suite backend 8.5
Please deploy the provided updates and patch releases. We made the related jslob configuration endpoint read-only for users.
CVE-2022-43698: SSRF using POP3 account updates
- CVE reference: CVE-2022-43698
- Internal reference: MWB-1823
- CWE: CWE-918 (Server-Side Request Forgery (SSRF))
- Discovery date: 2022-09-14
When changing a valid external POP3 mail account as a user, the operation to update the accounts settings did not consider deny-list values.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.5-rev50 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5.0 |
| OX App Suite backend 7.10.6-rev29 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5.0 |
| OX App Suite backend 8.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5.0 |
Threats
Impact
Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2022-10-24)
For products
- OX App Suite backend 7.10.5-rev51
- OX App Suite backend 7.10.6-rev30
- OX App Suite backend 8.5
Please deploy the provided updates and patch releases. We now check compliance with existing deny-list content when updating POP3 mail accounts.
CVE-2022-43699: Mail account discovery can be abused for SSRF
- CVE reference: CVE-2022-43699
- Internal reference: MWB-1862
- CWE: CWE-918 (Server-Side Request Forgery (SSRF))
- Discovery date: 2022-10-06
The external E-Mail autodiscovery feature performs connections checks based on the E-Mail addresses host-part. Those do not take existing deny-lists into respect, allowing attackers with access to DNS records of a domain to redirect requests to illegal addresses.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.5-rev50 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5.0 |
| OX App Suite backend 7.10.6-rev29 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5.0 |
| OX App Suite backend 7.6.3-rev65 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5.0 |
| OX App Suite backend 8.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5.0 |
Threats
Impact
Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2022-11-07)
For products
- OX App Suite backend 7.10.5-rev51
- OX App Suite backend 7.10.6-rev30
- OX App Suite backend 7.6.3-rev66
- OX App Suite backend 8.6
Please deploy the provided updates and patch releases. We check for compliance with existing deny-list content when performing mail account autodiscovery.
CVE-2022-42889: Apache Commons Text (CVE-2022-42889)
- CVE reference: CVE-2022-42889
- Internal reference: MWB-1882
- CWE: CWE-94 (Improper Control of Generation of Code ('Code Injection'))
- Discovery date: 2022-10-19
A critical vulnerability at the Apache Commons Text library has been identified, which is used by OX App Suite and OX Documents. However, our products do not directly use the vulnerable StringSubstitutor class. Based on current knowledge that means our products are not vulnerable.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.5-rev50 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| OX App Suite backend 7.10.6-rev29 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
| OX App Suite backend 8.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
Threats
Impact
Remote Code Execution, see CVE-2022-42889.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2022-10-21)
For products
- OX App Suite backend 7.10.5-rev51
- OX App Suite backend 7.10.6-rev30
- OX App Suite backend 8.7
Please deploy the provided updates and patch releases. We provided a update for this library to resolve the risk as a precaution, in case custom implementations use the vulnerable class.