| Publisher: OX Software GmbH | Publication Date: 2022-11-24 |
| Current version: 1 | Status: final |
| Severity: High |
The detection mechanism for "deep links" in E-Mail (e.g. pointing to OX Drive) allows to inject references to arbitrary fake applications. This can be used to request unexpected content, potentially including script code, when those links are used.
| Internal reference: | OXUIB-1654 |
|---|---|
| CWE: | CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
| Discovery date: | 2022-05-23 |
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.5-rev36 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite frontend 7.10.6-rev15 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
We improved deep-link validation to avoid malicious use.
No publicly available exploits are known.
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.
Certain content like E-Mail signatures are stored using the "snippets" mechanism. This mechanism contains a weakness that allows to inject seemingly benign HTML content, like XHTML CDATA constructs, that will be sanitized to malicious code. Once such code is in place it can be used for persistent access to the users account.
| Internal reference: | OXUIB-1678 |
|---|---|
| CWE: | CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
| Discovery date: | 2022-05-30 |
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.5-rev36 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite frontend 7.10.6-rev15 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
We improved the sanitizing algorithm to deal with disguised code.
No publicly available exploits are known.
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or temporary access to the users account.
Plain-text mail that contains HTML code can be used to inject script code when printing E-Mail.
| Internal reference: | OXUIB-1731 |
|---|---|
| CWE: | CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
| Discovery date: | 2022-06-22 |
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.5-rev36 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite frontend 7.10.6-rev15 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
We removed text-mode specific code and use existing sanitization mechanisms for HTML content.
No publicly available exploits are known.
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need to make the victim print a malicious E-Mail.
Contacts that do not contain a name but only a e-mail address can be used to inject script code to the "contact picker" component, commonly used to select contacts as recipients or participants.
| Internal reference: | OXUIB-1732 |
|---|---|
| CWE: | CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
| Discovery date: | 2022-06-22 |
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.5-rev36 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
| OX App Suite frontend 7.10.6-rev15 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 5.4 |
We now apply proper HTML escaping to all relevant data sets.
No publicly available exploits are known.
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or make the victim import malicious contact data.
The metrics and help modules use parts of the URL to determine capabilities. This mechanism suffers from a weakness that allows attackers to use special characters that register malicious capabilities, which will be executed as script code after login.
| Internal reference: | OXUIB-1785 |
|---|---|
| CWE: | CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
| Discovery date: | 2022-07-20 |
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite frontend 7.10.5-rev36 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
| OX App Suite frontend 7.10.6-rev15 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | 4.3 |
We sanitized any non-parsable characters from the capabilities input.
No publicly available exploits are known.
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink to its App Suite instance and login. While the "metrics" module is optional, the "help" module is available on all instances.
Deny-lists regarding external connections can be bypassed by using malicious DNS records with more than one A or AAAA response.
| Internal reference: | MWB-1712 |
|---|---|
| CWE: | CWE-918: Server-Side Request Forgery (SSRF) |
| Discovery date: | 2022-07-14 |
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.5-rev46 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5 |
| OX App Suite backend 7.10.6-rev21 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 5 |
We improved the analysis of DNS responses and check all available records against deny-list entries.
No publicly available exploits are known.
Server-initiated requests to external resources (e.g. E-Mail accounts, data feeds) can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies.
The size of the request body for certain API endpoints were not sufficiently checked for plausible sizes.
| Internal reference: | MWB-1713 |
|---|---|
| CWE: | CWE-400: Uncontrolled Resource Consumption |
| Discovery date: | 2022-07-14 |
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.5-rev46 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 5.3 |
| OX App Suite backend 7.10.6-rev21 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 5.3 |
We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage.
No publicly available exploits are known.
Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication.
The size of the request parameters for certain API endpoints were not sufficiently checked for plausible sizes.
| Internal reference: | MWB-1714 |
|---|---|
| CWE: | CWE-400: Uncontrolled Resource Consumption |
| Discovery date: | 2022-07-14 |
| Products | CVSS-Vector | CVSS Base Score |
|---|---|---|
| OX App Suite backend 7.10.5-rev46 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 5.3 |
| OX App Suite backend 7.10.6-rev21 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 5.3 |
We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage.
No publicly available exploits are known.
Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication.