OXAS-ADV-2023-0006
Metadata
- Document type: OX App Suite Security Advisory
- Publisher: Open-Xchange GmbH
- Publication Date: 2023-09-25
- Current version: 7
- Version status: Final
- Aggregate severity: High
References
Vulnerabilities
CVE-2023-29051: User-defined templates can bypass access control
- CVE reference: CVE-2023-29051
- Internal reference: MWB-2315
- CWE: CWE-284 (Improper Access Control)
- Discovery date: 2023-09-21
User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev51 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N | 8.1 |
| OX App Suite backend 8.17 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N | 8.1 |
Threats
Impact
Unauthorized users could discover and modify application state, including objects related to other users and contexts.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-09-24)
For products
- OX App Suite backend 7.10.6-rev52
- OX App Suite backend 8.18
Please deploy the provided updates and patch releases. We now make sure that the switch to disable user-generated templates by default works as intended and will remove the feature in future generations of the product.
CVE-2023-29052: XSS in upsell portal widget (shop disclaimer)
- CVE reference: CVE-2023-29052
- Internal reference: OXUIB-2532
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2023-09-07
Users were able to define disclaimer texts for an upsell shop dialog that would contain script code that was not sanitized correctly.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.6-rev34 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 |
Threats
Impact
Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-09-24)
For products
- OX App Suite frontend 7.10.6-rev35
Please deploy the provided updates and patch releases. We added sanitization for this content.
CVE-2023-41710: XSS in upsell portal widget (shop URL)
- CVE reference: CVE-2023-41710
- Internal reference: OXUIB-2533
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2023-09-07
User-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.6-rev34 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 |
Threats
Impact
Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-09-24)
For products
- OX App Suite frontend 7.10.6-rev35
Please deploy the provided updates and patch releases. We added sanitization for this content.