OXAS-ADV-2022-0002: OX App Suite Security Advisory

Publisher: OX Software GmbH Publication Date: 2023-02-08
Current version: 1 Status: final
Severity: High

References

Vulnerabilities

XSS using "upsell" triggers (CVE-2022-37306)

 Description

Non-alphanumeric content can be injected by the user as JS content for the "upsell" module. As a result, the code will be executed during subsequent logins and opening the "Portal" application, enabling a persistent cross-site scripting attack vector.

Internal reference: OXUIB-1795
CWE: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Discovery date: 2022-07-29

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.5-rev50 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 4.3
OX App Suite backend 7.10.6-rev29 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 4.3

Remediations

Vendor fix (2022-10-21)

We improved the allow-list sanitizing algorithm to deal with non-alphanumeric code.

For products:

Threats

Exploit status

No publicly available exploits are known.

Impact

Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account.

XSS using "upsell ads" (CVE-2022-43696)

 Description

HTML content can be injected by the user as JS content for the "upsell ads" module. As a result, the code will be executed during subsequent logins and opening the "Portal" application, enabling a persistent cross-site scripting attack vector.

Internal reference: OXUIB-1933
CWE: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Discovery date: 2022-09-26

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite frontend 7.10.5-rev38 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 4.3
OX App Suite frontend 7.10.6-rev19 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 4.3

Remediations

Vendor fix (2022-10-21)

We improved the sanitization process for upsell ads.

For products:

Threats

Exploit status

No publicly available exploits are known.

Impact

Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account.

"Tracking" features can be used to inject arbitrary script code (CVE-2022-43697)

 Description

In case activity tracking adapters are enabled but not defined, users can use jslob to define own tracking settings for an account. This allows adding arbitrary values to trigger a specific URL or load a library.

Internal reference: MWB-1784
CWE: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Discovery date: 2022-08-16

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.5-rev50 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 4.3
OX App Suite backend 7.10.6-rev29 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 4.3

Remediations

Vendor fix (2022-10-25)

We made the related jslob configuration endpoint read-only for users.

For products:

Threats

Exploit status

No publicly available exploits are known.

Impact

Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account.

SSRF using POP3 account updates (CVE-2022-43698)

 Description

When changing a valid external POP3 mail account as a user, the operation to update the accounts settings did not consider deny-list values.

Internal reference: MWB-1823
CWE: CWE-918: Server-Side Request Forgery (SSRF)
Discovery date: 2022-09-14

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.5-rev50 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 5.0
OX App Suite backend 7.10.6-rev29 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 5.0

Remediations

Vendor fix (2022-10-24)

We now check compliance with existing deny-list content when updating POP3 mail accounts.

For products:

Threats

Exploit status

No publicly available exploits are known.

Impact

Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies.

Mail account discovery can be abused for SSRF (CVE-2022-43699)

 Description

The external E-Mail autodiscovery feature performs connections checks based on the E-Mail addresses host-part. Those do not take existing deny-lists into respect, allowing attackers with access to DNS records of a domain to redirect requests to illegal addresses.

Internal reference: MWB-1862
CWE: CWE-918: Server-Side Request Forgery (SSRF)
Discovery date: 2022-10-06

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.5-rev50 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 5.0
OX App Suite backend 7.10.6-rev29 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 5.0

Remediations

Vendor fix (2022-11-07)

We check for compliance with existing deny-list content when performing mail account autodiscovery.

For products:

Threats

Exploit status

No publicly available exploits are known.

Impact

Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies.

Apache Commons Text Update (CVE-2022-42889)

 Description

A critical vulnerability at the Apache Commons Text library has been identified, which is used by OX App Suite and OX Documents. However, our products do not directly use the vulnerable StringSubstitutor class. Based on current knowledge that means our products are not vulnerable.

Internal reference: MWB-1882, DOCS-4580
CWE: CWE-94: Improper Control of Generation of Code ('Code Injection')
Discovery date: 2022-10-19

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.5-rev50 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8
OX App Suite backend 7.10.6-rev29 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8
OX App Suite office 7.10.5-rev10 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8
OX App Suite office 7.10.6-rev5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8

Remediations

Vendor fix (2022-10-21)

We provided a update for this library to resolve the risk as a precaution, in case custom implementations use the vulnerable class.

For products:

Threats

Exploit status

No publicly available exploits are known.

Impact

Remote Code Execution, see CVE-2022-42889.