OXAS-ADV-2025-0002

Metadata

Document type: OX App Suite Security Advisory
Publisher: Open-Xchange GmbH
Classification: TLP:GREEN
Publication Date: 2025-08-12
Current version: 2
Version status: Final
Aggregate severity: High

References

Vulnerabilities

CVE-2025-30191: HTML "form" elements can be used for spoofing and redressing

CVE reference: CVE-2025-30191open in new window
Internal reference: appsuite/platform/core#336
CWE: CWE-1021 (Improper Restriction of Rendered UI Layers or Frames)
Discovery date: 2025-07-09

Description

Malicious content from E-Mail can be used to perform a redressing attack.

Product status

Last affected

Products	CVSS-Vector	CVSS Base Score
OX App Suite backend 7.6.3-rev77	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	5.4
OX App Suite backend 8.35.111	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	5.4
OX App Suite backend 8.38.82	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	5.4
OX App Suite backend 8.39.79	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	5.4
OX App Suite backend 8.40.57	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	5.4

Threats

Impact

Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats.

Exploit status

No publicly available exploits are known

Remediation

Vendor fix (2025-07-10)

For products

OX App Suite backend 7.6.3-rev78
OX App Suite backend 8.35.112
OX App Suite backend 8.38.83
OX App Suite backend 8.39.80
OX App Suite backend 8.40.58

Attribute values containing HTML fragments are now denied by the sanitization procedure.

CVE-2025-30188: Version information can be used to pollute caches and cause denial of service

CVE reference: CVE-2025-30188open in new window
Internal reference: appsuite/support#763
CWE: CWE-400 (Uncontrolled Resource Consumption)
Discovery date: 2025-08-06

Description

Malicious or unintentional API requests can be used to add significant amount of data to caches.

Product status

Last affected

Products	CVSS-Vector	CVSS Base Score
OX App Suite ui middleware 2.1.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	7.5

Threats

Impact

Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component.

Exploit status

No publicly available exploits are known

Remediation

Vendor fix (2025-08-12)

For products

OX App Suite ui middleware 2.1.8

Please deploy the provided updates and patch releases.

# OXAS-ADV-2025-0002

# Metadata

# References

# Vulnerabilities

# CVE-2025-30191: HTML "form" elements can be used for spoofing and redressing

# Description

# Product status

# Last affected

# Threats

# Impact

# Exploit status

# Remediation

# Vendor fix (2025-07-10)

# For products

# CVE-2025-30188: Version information can be used to pollute caches and cause denial of service

# Description

# Product status

# Last affected

# Threats

# Impact

# Exploit status

# Remediation

# Vendor fix (2025-08-12)

# For products

OXAS-ADV-2025-0002

Metadata

References

Vulnerabilities

CVE-2025-30191: HTML "form" elements can be used for spoofing and redressing

Description

Product status

Last affected

Threats

Impact

Exploit status

Remediation

Vendor fix (2025-07-10)

For products

CVE-2025-30188: Version information can be used to pollute caches and cause denial of service

Description

Product status

Last affected

Threats

Impact

Exploit status

Remediation

Vendor fix (2025-08-12)

For products