Classification: TLP:GREEN

Internal reference: appsuite/platform/core#336
Type: CWE-1021 (Improper Restriction of Rendered UI Layers or Frames)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.6.3-rev77, OX App Suite backend 8.35.111, OX App Suite backend 8.38.82, OX App Suite backend 8.39.79, OX App Suite backend 8.40.57
First fixed revision: OX App Suite backend 7.6.3-rev78, OX App Suite backend 8.35.112, OX App Suite backend 8.38.83, OX App Suite backend 8.39.80, OX App Suite backend 8.40.58
Discovery date: 2025-07-09
Solution date: 2025-07-10
Disclosure date: 2025-08-12
CVE: CVE-2025-30191
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Details:
HTML "form" elements can be used for spoofing and redressing. Malicious content from E-Mail can be used to perform a redressing attack.

Risk:
Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. No publicly available exploits are known

Solution:
Attribute values containing HTML fragments are now denied by the sanitization procedure.



---



Internal reference: appsuite/support#763
Type: CWE-400 (Uncontrolled Resource Consumption)
Component: ui middleware
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite ui middleware 2.1.7
First fixed revision: OX App Suite ui middleware 2.1.8
Discovery date: 2025-08-06
Solution date: 2025-08-12
Disclosure date: 2025-08-12
CVE: CVE-2025-30188
CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Details:
Version information can be used to pollute caches and cause denial of service. Malicious or unintentional API requests can be used to add significant amount of data to caches.

Risk:
Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component. No publicly available exploits are known

Solution:
Please deploy the provided updates and patch releases.