OXAS-ADV-2023-0001
Metadata
- Document type: OX App Suite Security Advisory
- Publisher: Open-Xchange GmbH
- Publication Date: 2023-02-06
- Current version: 3
- Version status: Final
- Aggregate severity: High
References
Vulnerabilities
CVE-2023-24599: Users can change arbitrary appointments by ID confusion
- CVE reference: CVE-2023-24599
- Internal reference: MWB-1978
- CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
- Discovery date: 2023-01-02
Appointments of other users could be changed without the appropriate autorization by sending conflicting object IDs within the same request.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev36 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L | 7.1 |
| OX App Suite backend 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L | 7.1 |
Threats
Impact
Attackers within the same context can modify fragments of appointment information from folders without read access, including other users personal calendar folders.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-01-27)
For products
- OX App Suite backend 7.10.6-rev37
- OX App Suite backend 8.9
Please deploy the provided updates and patch releases. We improved permission checks when updating appointments to restrict access.
CVE-2023-24603: Size limits for external content are not considered for data transfer
- CVE reference: CVE-2023-24603
- Internal reference: MWB-1981
- CWE: CWE-400 (Uncontrolled Resource Consumption)
- Discovery date: 2023-01-03
HTTP client requests initiated by App Suite middleware were not stopping downloads for resources that exceed size limits.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev36 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
| OX App Suite backend 8.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
Threats
Impact
In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of HTTP headers, the system could temporarily lock up processing those headers.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-01-31)
For products
- OX App Suite backend 7.10.6-rev37
- OX App Suite backend 8.10
Please deploy the provided updates and patch releases. We improved the limitation for content length and immediately stop downloading if a threshold is hit.
CVE-2023-24604: Header length does not get limited for external content
- CVE reference: CVE-2023-24604
- Internal reference: MWB-1983
- CWE: CWE-400 (Uncontrolled Resource Consumption)
- Discovery date: 2023-01-03
HTTP client requests initiated by App Suite middleware were not validating the lenght of HTTP headers.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev36 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
| OX App Suite backend 8.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
Threats
Impact
In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of HTTP headers, the system could temporarily lock up processing those headers.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-01-30)
For products
- OX App Suite backend 7.10.6-rev37
- OX App Suite backend 8.10
Please deploy the provided updates and patch releases. We introduced a limitation for HTTP header length and reject processing if a threshold is hit.
CVE-2023-24598: Distribution lists allow discovering private contacts of other users
- CVE reference: CVE-2023-24598
- Internal reference: MWB-1995
- CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
- Discovery date: 2023-01-09
Editing distribution lists allows to add contacts from foreign accounts, where the attacker has no read access.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev36 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 6.5 |
| OX App Suite backend 7.6.3-rev66 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 6.5 |
| OX App Suite backend 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 6.5 |
Threats
Impact
Attackers within the same context can discover fragments of contact information from folders without read access, including other users personal contact folders.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-01-27)
For products
- OX App Suite backend 7.10.6-rev37
- OX App Suite backend 7.6.3-rev67
- OX App Suite backend 8.9
Please deploy the provided updates and patch releases. We improved permission checks when editing distribution lists to restrict access.
CVE-2023-24605: API access not fully restricted when requiring 2FA
- CVE reference: CVE-2023-24605
- Internal reference: MWB-1997
- CWE: CWE-284 (Improper Access Control)
- Discovery date: 2023-01-10
When using the built-in multi-factor authentication, access to a number of API endpoints was possible prior to successful authentication using the second factor.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev36 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N | 5.9 |
Threats
Impact
Attackers with access to victims credentials were able to perfom limited read operations on contacts and drive as well as modifying names of the multi-factor tokens.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-03-10)
For products
- OX App Suite backend 7.10.6-rev37
Please deploy the provided updates and patch releases. We added permission checks to make sure all kind of API paths are restricted prior to being fully authenticated.
CVE-2023-24600: "Read own/delete all" permissions allows moving other users contacts to own address book
- CVE reference: CVE-2023-24600
- Internal reference: MWB-1998
- CWE: CWE-284 (Improper Access Control)
- Discovery date: 2023-01-10
Folder ACL combinations like "read own, delete all" were incorrectly applied and allowed that users could move objects which they were not expected to read.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev36 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite backend 7.6.3-rev66 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite backend 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 4.3 |
Threats
Impact
Moving objects to folders with read access effectively bypassed the "read own" restriction.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-01-27)
For products
- OX App Suite backend 7.10.6-rev37
- OX App Suite backend 7.6.3-rev67
- OX App Suite backend 8.9
Please deploy the provided updates and patch releases. Permission checks have been updated and include checking for read permissions when performing move operations.
CVE-2023-24597: Remote resources are loaded in print view
- CVE reference: CVE-2023-24597
- Internal reference: OXUIB-2130
- CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
- Discovery date: 2023-01-03
When E-Mail is flagged as Spam or if a user has enabled the feature as a default, remote content in E-Mail is not requested automatically to improve users privacy. However when printing a E-Mail, external content was loaded automatically without user consent.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.6-rev23 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N | 4.2 |
| OX App Suite frontend 7.6.3-rev51 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N | 4.2 |
| OX App Suite frontend 8.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N | 4.2 |
Threats
Impact
Malicious remote content in E-Mail, like tracking pixels, could be used to analyze user behaviour.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-01-26)
For products
- OX App Suite frontend 7.10.6-rev24
- OX App Suite frontend 7.6.3-rev52
- OX App Suite frontend 8.9
Please deploy the provided updates and patch releases. We now apply the same setting for loading external content when generating the E-Mail print content.
CVE-2023-24601: XSS with non-app deeplinks like "registry"
- CVE reference: CVE-2023-24601
- Internal reference: OXUIB-2034
- CWE: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
- Discovery date: 2022-11-02
The "registry" sub-tree of the jslob API is used to define which application modules and dependencies shall be loaded. Users were able to inject arbitrary references, including malicious code.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.6-rev23 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | 4.6 |
| OX App Suite frontend 7.6.3-rev51 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | 4.6 |
| OX App Suite frontend pre8.0 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | 4.6 |
Threats
Impact
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-01-30)
For products
- OX App Suite frontend 7.10.6-rev24
- OX App Suite frontend 7.6.3-rev52
- OX App Suite frontend 8.0
Please deploy the provided updates and patch releases. We made the relevant jslob path read-only for users.
CVE-2023-24602: XSS at Tumblr portal widget due to missing content sanitization
- CVE reference: CVE-2023-24602
- Internal reference: OXUIB-2033
- CWE: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
- Discovery date: 2022-11-02
External content, like post titles, have been evaluated as HTML when adding Tumblr feeds to the portal page.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.6-rev23 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | 4.6 |
| OX App Suite frontend 8.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N | 4.6 |
Threats
Impact
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account, compromise a Tumblr feed or make the victim include a malicious feed.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-03-10)
For products
- OX App Suite frontend 7.10.6-rev24
- OX App Suite frontend 8.7
Please deploy the provided updates and patch releases. We now insert untrusted external content as plain-text.