Classification: TLP:GREEN

Internal reference: appsuite/web-apps/ui/-/issues/372
Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev44
First fixed revision: OX App Suite frontend 7.10.6-rev45
Discovery date: 2024-06-08
Solution date: 2024-06-13
Disclosure date: 2024-06-13
CVE: CVE-2024-4367
CVSS: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Details:
Arbitrary JavaScript execution in PDF.js. Arbitrary JavaScript execution in PDF.js.

Risk:
This update provides safe configuration of a third-party component as a preventive measure to avoid exploitation in the context of OX App Suite. Exploits for this vulnerability are publicly available.

Solution:
Please deploy the provided updates and patch releases. The relevant components have been updated to mitigate potential exploitation.