Internal reference: OXUIB-1795 Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.5-rev50, OX App Suite frontend 7.10.6-rev19, OX App Suite frontend 8.4 First fixed revision: OX App Suite frontend 7.10.5-rev51, OX App Suite frontend 7.10.6-rev20, OX App Suite frontend 8.5 Discovery date: 2022-07-29 Solution date: 2022-10-21 Disclosure date: 2022-11-02 CVE: CVE-2022-37306 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Details: XSS using "upsell" triggers. Non-alphanumeric content can be injected by the user as JS content for the "upsell" module. As a result, the code will be executed during subsequent logins and opening the "Portal" application, enabling a persistent cross-site scripting attack vector. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We improved the allow-list sanitizing algorithm to deal with non-alphanumeric code. --- Internal reference: OXUIB-1933 Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.5-rev50, OX App Suite frontend 7.10.6-rev19, OX App Suite frontend 7.6.3-rev50 First fixed revision: OX App Suite frontend 7.10.5-rev51, OX App Suite frontend 7.10.6-rev20, OX App Suite frontend 7.6.3-rev51 Discovery date: 2022-09-26 Solution date: 2022-10-21 Disclosure date: 2022-11-02 CVE: CVE-2022-43696 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Details: XSS using "upsell ads". HTML content can be injected by the user as JS content for the "upsell ads" module. As a result, the code will be executed during subsequent logins and opening the "Portal" application, enabling a persistent cross-site scripting attack vector. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We improved the sanitization process for upsell ads. --- Internal reference: MWB-1784 Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29, OX App Suite backend 8.4 First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30, OX App Suite backend 8.5 Discovery date: 2022-08-16 Solution date: 2022-10-25 Disclosure date: 2022-11-02 CVE: CVE-2022-43697 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Details: "Tracking" features can be used to inject arbitrary script code. In case activity tracking adapters are enabled but not defined, users can use jslob to define own tracking settings for an account. This allows adding arbitrary values to trigger a specific URL or load a library. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We made the related jslob configuration endpoint read-only for users. --- Internal reference: MWB-1823 Type: CWE-918 (Server-Side Request Forgery (SSRF)) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29, OX App Suite backend 8.4 First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30, OX App Suite backend 8.5 Discovery date: 2022-09-14 Solution date: 2022-10-24 Disclosure date: 2022-11-02 CVE: CVE-2022-43698 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Details: SSRF using POP3 account updates. When changing a valid external POP3 mail account as a user, the operation to update the accounts settings did not consider deny-list values. Risk: Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We now check compliance with existing deny-list content when updating POP3 mail accounts. --- Internal reference: MWB-1862 Type: CWE-918 (Server-Side Request Forgery (SSRF)) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29, OX App Suite backend 7.6.3-rev65, OX App Suite backend 8.5 First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30, OX App Suite backend 7.6.3-rev66, OX App Suite backend 8.6 Discovery date: 2022-10-06 Solution date: 2022-11-07 Disclosure date: 2022-11-02 CVE: CVE-2022-43699 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Details: Mail account discovery can be abused for SSRF. The external E-Mail autodiscovery feature performs connections checks based on the E-Mail addresses host-part. Those do not take existing deny-lists into respect, allowing attackers with access to DNS records of a domain to redirect requests to illegal addresses. Risk: Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We check for compliance with existing deny-list content when performing mail account autodiscovery. --- Internal reference: MWB-1882 Type: CWE-94 (Improper Control of Generation of Code ('Code Injection')) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29, OX App Suite backend 8.6 First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30, OX App Suite backend 8.7 Discovery date: 2022-10-19 Solution date: 2022-10-21 Disclosure date: 2022-11-02 CVE: CVE-2022-42889 CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Details: Apache Commons Text (CVE-2022-42889). A critical vulnerability at the Apache Commons Text library has been identified, which is used by OX App Suite and OX Documents. However, our products do not directly use the vulnerable StringSubstitutor class. Based on current knowledge that means our products are not vulnerable. Risk: Remote Code Execution, see CVE-2022-42889. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We provided a update for this library to resolve the risk as a precaution, in case custom implementations use the vulnerable class.