Classification: TLP:GREEN Internal reference: appsuite/web-apps/ui#785 Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.6-rev49 First fixed revision: OX App Suite frontend 7.10.6-rev50 Discovery date: 2024-12-13 Solution date: 2025-01-08 Disclosure date: 2025-01-27 CVE: CVE-2024-47875 CVSS: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H) Details: Vulnerable DOMPurify shipped with App Suite 7.10.6 and 7.6.3. The DOMPurify third-party library has been updated to resolve known vulnerabilities. Risk: This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite. No publicly available exploits are known. Solution: Third-party libraries have been updated. --- Internal reference: DOCS-5081 Type: CWE-611 (Improper Restriction of XML External Entity Reference) Component: office Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite office 7.10.6-rev15 First fixed revision: OX App Suite office 7.10.6-rev16 Discovery date: 2023-09-12 Solution date: 2024-12-03 Disclosure date: 2025-01-27 CVE: CVE-2022-0839 CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Details: Resolving third-party vulnerabilities in the office master (7.10.6) repo. Several third-party libraries have been updated to resolve known vulnerabilities. This includes H2, Xalan, Liquibase and Spring Boot. Risk: This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite. No publicly available exploits are known. Solution: Third-party libraries have been updated. --- Internal reference: DOCS-5338 Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) Component: office Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite office 7.10.6-rev11 First fixed revision: OX App Suite office 7.10.6-rev12 Discovery date: 2024-12-12 Solution date: 2025-01-27 Disclosure date: 2025-01-27 CVE: CVE-2021-23358 CVSS: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Details: Resolving third-party vulnerabilities in the office-ui master (7.10.6) repo. Several third-party libraries have been updated to resolve known vulnerabilities. This includes grunt, dompurify, codecept, underscore and requirejs. Risk: This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite. No publicly available exploits are known. Solution: Third-party libraries have been updated.