OXAS-ADV-2024-0004

Metadata

Document type: OX App Suite Security Advisory
Publisher: Open-Xchange GmbH
Classification: TLP:GREEN
Publication Date: 2024-06-13
Current version: 4
Version status: Final
Aggregate severity: Medium

References

Vulnerabilities

CVE-2024-4367: Arbitrary JavaScript execution in PDF.js

CVE reference: CVE-2024-4367open in new window
Internal reference: appsuite/web-apps/ui/-/issues/372
CWE: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
Discovery date: 2024-06-08

Description

Arbitrary JavaScript execution in PDF.js.

Product status

Last affected

Products	CVSS-Vector	CVSS Base Score
OX App Suite frontend 7.10.6-rev44	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	6.1

Threats

Impact

This update provides safe configuration of a third-party component as a preventive measure to avoid exploitation in the context of OX App Suite.

Exploit status

Exploits for this vulnerability are publicly available.

Remediation

Vendor fix (2024-06-13)

For products

OX App Suite frontend 7.10.6-rev45

Please deploy the provided updates and patch releases. The relevant components have been updated to mitigate potential exploitation.

# OXAS-ADV-2024-0004

# Metadata

# References

# Vulnerabilities

# CVE-2024-4367: Arbitrary JavaScript execution in PDF.js

# Description

# Product status

# Last affected

# Threats

# Impact

# Exploit status

# Remediation

# Vendor fix (2024-06-13)

# For products