OXAS-ADV-2023-0007
Metadata
- Document type: OX App Suite Security Advisory
- Publisher: Open-Xchange GmbH
- Publication Date: 2023-12-11
- Current version: 4
- Version status: Final
- Aggregate severity: High
References
Vulnerabilities
CVE-2023-41708: XSS using script code as module at app loader
- CVE reference: CVE-2023-41708
- Internal reference: OXUIB-2599
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2023-10-18
Description
References to the "app loader" functionality could contain redirects to unexpected locations.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.6-rev38 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 |
Threats
Impact
Attackers could forge app references that bypass existing safeguards to inject malicious script code.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-12-01)
For products
- OX App Suite frontend 7.10.6-rev39
Please deploy the provided updates and patch releases. References to apps are now controlled more strict to avoid relative references.
CVE-2023-41707: Excessive resource usage through mail search regex
- CVE reference: CVE-2023-41707
- Internal reference: MWB-2366
- CWE: CWE-400 (Uncontrolled Resource Consumption)
- Discovery date: 2023-11-02
Description
Processing of user-defined mail search expressions is not limited.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev55 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 |
| OX App Suite backend 7.6.3-rev71 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 |
| OX App Suite backend 8.19 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 |
Threats
Impact
Availability of OX App Suite could be reduced due to high processing load.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-12-05)
For products
- OX App Suite backend 7.10.6-rev56
- OX App Suite backend 7.6.3-rev72
- OX App Suite backend 8.20
Please deploy the provided updates and patch releases. Processing time of mail search expressions now gets monitored, and the related request is terminated if a resource threshold is reached.
CVE-2023-41706: Excessive resource usage through drive search regex
- CVE reference: CVE-2023-41706
- Internal reference: MWB-2367
- CWE: CWE-400 (Uncontrolled Resource Consumption)
- Discovery date: 2023-11-02
Description
Processing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev55 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 |
| OX App Suite backend 7.6.3-rev71 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 |
| OX App Suite backend 8.19 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 |
Threats
Impact
Availability of OX App Suite could be reduced due to high processing load.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-12-01)
For products
- OX App Suite backend 7.10.6-rev56
- OX App Suite backend 7.6.3-rev72
- OX App Suite backend 8.20
Please deploy the provided updates and patch releases. Processing of user-defined drive search expressions is not limited
CVE-2023-41705: High resource consumption by manipulated DAV user-agent strings
- CVE reference: CVE-2023-41705
- Internal reference: MWB-2392
- CWE: CWE-400 (Uncontrolled Resource Consumption)
- Discovery date: 2023-11-28
Description
Processing of user-defined DAV user-agent strings is not limited.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev55 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 |
| OX App Suite backend 7.6.3-rev71 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 |
| OX App Suite backend 8.20 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 6.5 |
Threats
Impact
Availability of OX App Suite could be reduced due to high processing load.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-12-06)
For products
- OX App Suite backend 7.10.6-rev56
- OX App Suite backend 7.6.3-rev72
- OX App Suite backend 8.21
Please deploy the provided updates and patch releases. Processing time of DAV user-agents now gets monitored, and the related request is terminated if a resource threshold is reached.
CVE-2023-41704: XSS at E-Mail using CSS CID replacement
- CVE reference: CVE-2023-41704
- Internal reference: MWB-2393
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2023-11-28
Description
Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev55 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L | 7.1 |
| OX App Suite backend 7.6.3-rev71 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L | 7.1 |
| OX App Suite backend 8.20 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L | 7.1 |
Threats
Impact
Malicious script code could be injected to a users sessions when interacting with E-Mails.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2023-12-06)
For products
- OX App Suite backend 7.10.6-rev56
- OX App Suite backend 7.6.3-rev72
- OX App Suite backend 8.21
Please deploy the provided updates and patch releases. CID handing has been improved and resulting content is checked for malicious content.
CVE-2023-41703: UserIds of mentions are not saved correctly after editing a comment with mentions
- CVE reference: CVE-2023-41703
- Internal reference: DOCS-4483
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2022-05-19
Description
User ID references at mentions in document comments were not correctly sanitized.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite office 7.10.6-rev9 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 6.1 |
| OX App Suite office 8.19 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 6.1 |
Threats
Impact
Script code could be injected to a users session when working with a malicious document.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2022-05-23)
For products
- OX App Suite office 7.10.6-rev10
- OX App Suite office 8.20
Please deploy the provided updates and patch releases. User-defined content like comments and mentions are now filtered to avoid potentially malicious content.