OXAS-ADV-2025-0001
Metadata
- Document type: OX App Suite Security Advisory
- Publisher: Open-Xchange GmbH
- Classification: TLP:GREEN
- Publication Date: 2025-01-27
- Current version: 2
- Version status: Final
- Aggregate severity: Critical
References
Vulnerabilities
CVE-2024-47875: Vulnerable DOMPurify shipped with App Suite 7.10.6 and 7.6.3
- CVE reference: CVE-2024-47875
- Internal reference: appsuite/web-apps/ui#785
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2024-12-13
Description
The DOMPurify third-party library has been updated to resolve known vulnerabilities.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.6-rev49 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H | 10.0 |
Threats
Impact
This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2025-01-08)
For products
- OX App Suite frontend 7.10.6-rev50
Third-party libraries have been updated.
CVE-2022-0839: Resolving third-party vulnerabilities in the office master (7.10.6) repo
- CVE reference: CVE-2022-0839
- Internal reference: DOCS-5081
- CWE: CWE-611 (Improper Restriction of XML External Entity Reference)
- Discovery date: 2023-09-12
Description
Several third-party libraries have been updated to resolve known vulnerabilities. This includes H2, Xalan, Liquibase and Spring Boot.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite office 7.10.6-rev15 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 9.8 |
Threats
Impact
This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2024-12-03)
For products
- OX App Suite office 7.10.6-rev16
Third-party libraries have been updated.
CVE-2021-23358: Resolving third-party vulnerabilities in the office-ui master (7.10.6) repo
- CVE reference: CVE-2021-23358
- Internal reference: DOCS-5338
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
- Discovery date: 2024-12-12
Description
Several third-party libraries have been updated to resolve known vulnerabilities. This includes grunt, dompurify, codecept, underscore and requirejs.
Product status
Last affected
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite office 7.10.6-rev11 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 7.2 |
Threats
Impact
This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite.
Exploit status
No publicly available exploits are known.
Remediation
Vendor fix (2025-01-27)
For products
- OX App Suite office 7.10.6-rev12
Third-party libraries have been updated.