Internal reference: OXUIB-1654 Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.5-rev36, OX App Suite frontend 7.10.6-rev15 First fixed revision: OX App Suite frontend 7.10.5-rev37, OX App Suite frontend 7.10.6-rev16 Discovery date: 2022-05-23 Solution date: 2022-08-02 Disclosure date: 2022-08-10 CVE: CVE-2022-31469 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Details: Bypass for E-Mail "deep links". The detection mechanism for "deep links" in E-Mail (e.g. pointing to OX Drive) allows to inject references to arbitrary fake applications. This can be used to request unexpected content, potentially including script code, when those links are used. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We improved deep-link validation to avoid malicious use. --- Internal reference: OXUIB-1678 Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.5-rev36, OX App Suite frontend 7.10.6-rev15, OX App Suite frontend 8.2 First fixed revision: OX App Suite frontend 7.10.5-rev37, OX App Suite frontend 7.10.6-rev16, OX App Suite frontend 8.3 Discovery date: 2022-05-30 Solution date: 2024-01-18 Disclosure date: 2022-08-10 CVE: CVE-2022-37307 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Details: XSS sanitization bypass for HTML snippets. Certain content like E-Mail signatures are stored using the "snippets" mechanism. This mechanism contains a weakness that allows to inject seemingly benign HTML content, like XHTML CDATA constructs, that will be sanitized to malicious code. Once such code is in place it can be used for persistent access to the users account. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or temporary access to the users account. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We improved the sanitizing algorithm to deal with disguised code. --- Internal reference: OXUIB-1731 Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.5-rev36, OX App Suite frontend 7.10.6-rev15, OX App Suite frontend 8.3 First fixed revision: OX App Suite frontend 7.10.5-rev37, OX App Suite frontend 7.10.6-rev16, OX App Suite frontend 8.4 Discovery date: 2022-06-22 Solution date: 2022-08-02 Disclosure date: 2022-08-10 CVE: CVE-2022-37308 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Details: XSS with print templates when using plain-text mail. Plain-text mail that contains HTML code can be used to inject script code when printing E-Mail. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need to make the victim print a malicious E-Mail. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We removed text-mode specific code and use existing sanitization mechanisms for HTML content. --- Internal reference: OXUIB-1732 Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.5-rev36, OX App Suite frontend 7.10.6-rev15, OX App Suite frontend 8.3 First fixed revision: OX App Suite frontend 7.10.5-rev37, OX App Suite frontend 7.10.6-rev16, OX App Suite frontend 8.4 Discovery date: 2022-06-22 Solution date: 2022-08-02 Disclosure date: 2022-08-10 CVE: CVE-2022-37309 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Details: XSS at address picker when not using "fullname". Contacts that do not contain a name but only a e-mail address can be used to inject script code to the "contact picker" component, commonly used to select contacts as recipients or participants. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or make the victim import malicious contact data. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We now apply proper HTML escaping to all relevant data sets. --- Internal reference: OXUIB-1785 Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.5-rev36, OX App Suite frontend 7.10.6-rev15, OX App Suite frontend 7.6.3-rev50, OX App Suite frontend 8.3 First fixed revision: OX App Suite frontend 7.10.5-rev37, OX App Suite frontend 7.10.6-rev16, OX App Suite frontend 7.6.3-rev51, OX App Suite frontend 8.4 Discovery date: 2022-07-20 Solution date: 2022-08-02 Disclosure date: 2022-08-10 CVE: CVE-2022-37310 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Details: XSS using "capabilities" evaluation and checks. The metrics and help modules use parts of the URL to determine capabilities. This mechanism suffers from a weakness that allows attackers to use special characters that register malicious capabilities, which will be executed as script code after login. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink to its App Suite instance and login. While the "metrics" module is optional, the "help" module is available on all instances. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We sanitized any non-parsable characters from the capabilities input. --- Internal reference: MWB-1712 Type: CWE-918 (Server-Side Request Forgery (SSRF)) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.5-rev46, OX App Suite backend 7.10.6-rev21, OX App Suite backend 7.6.3-rev65, OX App Suite backend 8.3 First fixed revision: OX App Suite backend 7.10.5-rev47, OX App Suite backend 7.10.6-rev22, OX App Suite backend 7.6.3-rev66, OX App Suite backend 8.4 Discovery date: 2022-07-14 Solution date: 2022-08-02 Disclosure date: 2022-08-10 CVE: CVE-2022-37313 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Details: SSRF due to multiple DNS records per domain. Deny-lists regarding external connections can be bypassed by using malicious DNS records with more than one A or AAAA response. Risk: Server-initiated requests to external resources (e.g. E-Mail accounts, data feeds) can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We improved the analysis of DNS responses and check all available records against deny-list entries. --- Internal reference: MWB-1713 Type: CWE-400 (Uncontrolled Resource Consumption) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.5-rev46, OX App Suite backend 7.10.6-rev21, OX App Suite backend 7.6.3-rev65, OX App Suite backend 8.2 First fixed revision: OX App Suite backend 7.10.5-rev47, OX App Suite backend 7.10.6-rev22, OX App Suite backend 7.6.3-rev66, OX App Suite backend 8.3 Discovery date: 2022-07-14 Solution date: 2022-08-02 Disclosure date: 2022-08-10 CVE: CVE-2022-37312 CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Details: DoS via unchecked "deferrer" servlet parameters. The size of the request body for certain API endpoints were not sufficiently checked for plausible sizes. Risk: Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage. --- Internal reference: MWB-1714 Type: CWE-400 (Uncontrolled Resource Consumption) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.5-rev46, OX App Suite backend 7.10.6-rev21, OX App Suite backend 7.6.3-rev65 First fixed revision: OX App Suite backend 7.10.5-rev47, OX App Suite backend 7.10.6-rev22, OX App Suite backend 7.6.3-rev66 Discovery date: 2022-07-14 Solution date: 2022-08-02 Disclosure date: 2022-08-10 CVE: CVE-2022-37311 CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Details: DoS via unchecked "redirect" servlet parameters. The size of the request parameters for certain API endpoints were not sufficiently checked for plausible sizes. Risk: Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage.