OXAS-ADV-2024-0003
Metadata
- Document type: OX App Suite Security Advisory
- Publisher: Open-Xchange GmbH
- Publication Date: 2024-04-24
- Current version: 3
- Version status: Final
- Aggregate severity: Medium
References
Vulnerabilities
CVE-2024-25710: Apache Commons Compress library is prone to a denial of service (DoS) vulnerability.
- CVE reference: CVE-2024-25710
- Internal reference: MWB-2525
- CWE: CWE-835 (Loop with Unreachable Exit Condition ('Infinite Loop'))
- Discovery date: 2024-03-01
Description
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects a Apache Commons Compress library shipped with OX App Suite.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.6-rev61 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H | 5.5 |
| OX App Suite backend 8.22 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H | 5.5 |
Threats
Impact
The vulnerability can potentially be exploited through OX App Suite and affect availability of the service.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2024-04-11)
For products
- OX App Suite backend 7.10.6-rev62
- OX App Suite backend 8.23
Please deploy the provided updates and patch releases. We have updated the vulnerable library as a precaution to avoid potential exploitation.
CVE-2024-25582: XSS using arbitrary relative path to UI module
- CVE reference: CVE-2024-25582
- Internal reference: OXUIB-2718
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2024-01-30
Description
Module savepoints could be abused to inject references to malicious code delivered through the same domain.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.6-rev42 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 5.4 |
Threats
Impact
Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2024-04-04)
For products
- OX App Suite frontend 7.10.6-rev43
Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules.
CVE-2021-41184: Outdated jquery-ui shipped with 7.10.6
- CVE reference: CVE-2021-41184
- Internal reference: OXUIB-2699
- CWE: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
- Discovery date: 2024-01-15
Description
JQuery third-party components with known vulnerabilities have been shipped.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.6-rev42 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 6.1 |
Threats
Impact
This update serves as a preventive measure since no practical exploitation in the context of OX App Suite is feasible.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2024-03-28)
For products
- OX App Suite frontend 7.10.6-rev43
Please deploy the provided updates and patch releases. The relevant components have been updated to mitigate potential exploitation.