Internal reference: MWB-2525 Type: CWE-835 (Loop with Unreachable Exit Condition ('Infinite Loop')) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.6-rev61, OX App Suite backend 8.22 First fixed revision: OX App Suite backend 7.10.6-rev62, OX App Suite backend 8.23 Discovery date: 2024-03-01 Solution date: 2024-04-11 Disclosure date: 2024-04-24 CVE: CVE-2024-25710 CVSS: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) Details: Apache Commons Compress library is prone to a denial of service (DoS) vulnerability.. Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects a Apache Commons Compress library shipped with OX App Suite. Risk: The vulnerability can potentially be exploited through OX App Suite and affect availability of the service. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. We have updated the vulnerable library as a precaution to avoid potential exploitation. --- Internal reference: OXUIB-2718 Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.6-rev42 First fixed revision: OX App Suite frontend 7.10.6-rev43 Discovery date: 2024-01-30 Solution date: 2024-04-04 Disclosure date: 2024-04-24 CVE: CVE-2024-25582 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Details: XSS using arbitrary relative path to UI module. Module savepoints could be abused to inject references to malicious code delivered through the same domain. Risk: Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules. --- Internal reference: OXUIB-2699 Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.6-rev42 First fixed revision: OX App Suite frontend 7.10.6-rev43 Discovery date: 2024-01-15 Solution date: 2024-03-28 Disclosure date: 2024-04-24 CVE: CVE-2021-41184 CVSS: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Details: Outdated jquery-ui shipped with 7.10.6. JQuery third-party components with known vulnerabilities have been shipped. Risk: This update serves as a preventive measure since no practical exploitation in the context of OX App Suite is feasible. No publicly available exploits are known. Solution: Please deploy the provided updates and patch releases. The relevant components have been updated to mitigate potential exploitation.