OXAS-ADV-2023-0004
Metadata
- Document type: OX App Suite Security Advisory
- Publisher: Open-Xchange GmbH
- Publication Date: 2023-08-01
- Current version: 3
- Version status: Final
- Aggregate severity: Critical
References
Vulnerabilities
CVE-2023-29046: Timeouts for external content do not cancel the connection
- CVE reference: CVE-2023-29046
- Internal reference: MWB-1982
- CWE: CWE-400 (Uncontrolled Resource Consumption)
- Discovery date: 2023-01-03
Connections to external data sources, like e-mail autoconfiguration, were not terminated in case they hit a timeout, instead those connections were logged.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev48 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
| OX App Suite backend 8.11 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 4.3 |
Threats
Impact
Some connections use user-controlled endpoints, which could be malicious and attempt to keep the connection open for an extended period of time. As a result users were able to trigger large amount of egress network connections, possibly exhausting network pool resources and lock up legitimate requests.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-07-24)
For products
- OX App Suite backend 7.10.6-rev49
- OX App Suite backend 8.12
Please deploy the provided updates and patch releases. A new mechanism has been introduced to cancel external connections that might access user-controlled endpoints.
CVE-2023-26455: RMI allows event organizer changes without authentication
CVE reference: CVE-2023-26455
Internal reference: MWB-1996
CWE: CWE-287 (Improper Authentication)
Discovery date: 2023-01-09
Researcher credits: Tim Coen RMI was not requiring authentication when calling ChronosRMIService:setEventOrganizer.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev48 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L | 5.6 |
| OX App Suite backend 8.12 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L | 5.6 |
Threats
Impact
Attackers with local or adjacent network access could abuse the RMI service to modify calendar items using RMI. RMI access is restricted to localhost by default.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-07-25)
For products
- OX App Suite backend 7.10.6-rev49
- OX App Suite backend 8.13
Please deploy the provided updates and patch releases. The interface has been updated to require authenticated requests.
CVE-2023-26456: XSS through unescaped OX Guard "productName" property
- CVE reference: CVE-2023-26456
- Internal reference: GUARD-440
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2023-06-22
Users were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite guard 2.10.7-rev6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 |
Threats
Impact
Accounts that were temporarily taken over could be configured to trigger persistent code execution, allowing an attacker to build a foothold.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-07-06)
For products
- OX App Suite guard 2.10.7-rev7
Please deploy the provided updates and patch releases. Sanitization is in place for product names now.
CVE-2023-29047: SQL Injection at Imageconverter "getMetadata"
CVE reference: CVE-2023-29047
Internal reference: DOCS-4767
CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
Discovery date: 2023-03-14
Researcher credits: Mehmet 'mdisec' Ince Imageconverter API endpoints provided methods that were not sufficiently validating and sanitizing client input, allowing to inject arbitrary SQL statements.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite office 7.10.6-rev5 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N | 7.4 |
| OX App Suite office 8.12 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N | 7.4 |
Threats
Impact
An attacker with access to the adjacent network and potentially API credentials, could read and modify database content which is accessible to the imageconverter SQL user account.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-04-27)
For products
- OX App Suite office 7.10.6-rev6
- OX App Suite office 8.13
Please deploy the provided updates and patch releases. All possible IC WebService API request parameters are now validated before further processing. In case invalid parameters are detected, the incident gets logged on level ERROR and BAD_REQUEST (Http code 400) response is returned to caller.
CVE-2023-26452: SQLi at Imageconverter cacheAndGetImageAndMetadata endpoint
CVE reference: CVE-2023-26452
Internal reference: DOCS-4800
CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
Discovery date: 2023-03-29
Researcher credits: Mehmet 'mdisec' Ince Requests to cache an image and return its metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite office 7.10.6-rev5 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 9.6 |
| OX App Suite office 8.12 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 9.6 |
Threats
Impact
Arbitrary SQL statements could be executed in the context of the services database user account.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-04-27)
For products
- OX App Suite office 7.10.6-rev6
- OX App Suite office 8.13
Please deploy the provided updates and patch releases. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error.
CVE-2023-26453: SQLi at Imageconverter cacheImage endpoint
CVE reference: CVE-2023-26453
Internal reference: DOCS-4801
CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
Discovery date: 2023-03-29
Researcher credits: Mehmet 'mdisec' Ince Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite office 7.10.6-rev5 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 9.6 |
| OX App Suite office 8.12 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 9.6 |
Threats
Impact
Arbitrary SQL statements could be executed in the context of the services database user account.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-04-27)
For products
- OX App Suite office 7.10.6-rev6
- OX App Suite office 8.13
Please deploy the provided updates and patch releases. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error.
CVE-2023-26454: SQLi at Imageconverter getMetadata endpoint
CVE reference: CVE-2023-26454
Internal reference: DOCS-4802
CWE: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))
Discovery date: 2023-03-29
Researcher credits: Mehmet 'mdisec' Ince Requests to fetch image metadata could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite office 7.10.6-rev5 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 9.6 |
| OX App Suite office 8.12 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 9.6 |
Threats
Impact
Arbitrary SQL statements could be executed in the context of the services database user account.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-04-27)
For products
- OX App Suite office 7.10.6-rev6
- OX App Suite office 8.13
Please deploy the provided updates and patch releases. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error.
CVE-2023-29045: XSS through unescaped "insertDrawing" content in collaboration mode
- CVE reference: CVE-2023-29045
- Internal reference: DOCS-4926
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2023-06-22
Documents operations, in this case "drawing", could be manipulated to contain invalid data types, possibly script code.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite office 7.10.6-rev7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 |
Threats
Impact
Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-07-07)
For products
- OX App Suite office 7.10.6-rev8
Please deploy the provided updates and patch releases. Operation data exchanged between collaborating parties does now gets checked for validity to avoid code execution.
CVE-2023-29044: XSS through unescaped "imageData" content in collaboration mode
- CVE reference: CVE-2023-29044
- Internal reference: DOCS-4927
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2023-06-22
Documents operations could be manipulated to contain invalid data types, possibly script code.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite office 7.10.6-rev7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 |
Threats
Impact
Script code could be injected to an operation that would be executed for users that are actively collaborating on the same document.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-07-07)
For products
- OX App Suite office 7.10.6-rev8
Please deploy the provided updates and patch releases. Operation data exchanged between collaborating parties does now get escaped to avoid code execution.
CVE-2023-29043: XSS through unescaped "imageSrc" content at presentations
- CVE reference: CVE-2023-29043
- Internal reference: DOCS-4928
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2023-06-22
Presentations may contain references to images, which are user-controlled, and could include malicious script code that is being processed when editing a document.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite office 7.10.6-rev7 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 6.1 |
Threats
Impact
Script code embedded in malicious documents could be executed in the context of the user editing the document when performing certain actions, like copying content.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-06-23)
For products
- OX App Suite office 7.10.6-rev8
Please deploy the provided updates and patch releases. The relevant attribute does now get encoded to avoid the possibility of executing script code.