OXAS-ADV-2023-0001: OX App Suite Security Advisory

Publisher: OX Software GmbH Publication Date: 2023-02-06
Current version: 1 Status: final
Severity: High

References

Vulnerabilities

Remote resources are loaded in print view (CVE-2023-24597)

Description

When E-Mail is flagged as Spam or if a user has enabled the feature as a default, remote content in E-Mail is not requested automatically to improve users privacy. However when printing a E-Mail, external content was loaded automatically without user consent.

Internal reference: OXUIB-2130
CWE: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Discovery date: 2023-01-03

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite frontend 7.10.6-rev23 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N 4.2

Remediations

Vendor fix (2023-02-06)

We now apply the same setting for loading external content when generating the E-Mail print content.

For products:

Acknowledgments

Threats

Exploit status

No publicly available exploits are known.

Impact

Malicious remote content in E-Mail, like tracking pixels, could be used to analyze user behaviour.

XSS with non-app deeplinks like "registry" (CVE-2023-24601)

Description

The "registry" sub-tree of the jslob API is used to define which application modules and dependencies shall be loaded. Users were able to inject arbitrary references, including malicious code.

Internal reference: OXUIB-2034
CWE: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Discovery date: 2022-11-02

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite frontend 7.10.6-rev23 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 4.6

Remediations

Vendor fix (2023-02-06)

We made the relevant jslob path read-only for users.

For products:

Threats

Exploit status

No publicly available exploits are known.

Impact

Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account.

XSS at Tumblr portal widget due to missing content sanitization (CVE-2023-24602)

Description

External content, like post titles, have been evaluated as HTML when adding Tumblr feeds to the portal page.

Internal reference: OXUIB-2033
CWE: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Discovery date: 2022-02-11

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite frontend 7.10.6-rev23 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 4.6

Remediations

Vendor fix (2023-02-06)

We now insert untrusted external content as plain-text.

For products:

Threats

Exploit status

No publicly available exploits are known.

Impact

Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account, compromise a Tumblr feed or make the victim include a malicious feed.

"Read own/delete all" permissions allows moving other users contacts to own address book (CVE-2023-24600)

Description

Folder ACL combinations like "read own, delete all" were incorrectly applied and allowed that users could move objects which they were not expected to read.

Internal reference: MWB-1998
CWE: CWE-284: Improper Access Control
Discovery date: 2023-01-10

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.6-rev36 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 4.3

Remediations

Vendor fix (2023-02-06)

Permission checks have been updated and include checking for read permissions when performing move operations.

For products:

Acknowledgments

Threats

Exploit status

No publicly available exploits are known.

Impact

Moving objects to folders with read access effectively bypassed the "read own" restriction.

API access not fully restricted when requiring 2FA (CVE-2023-24605)

Description

When using the built-in multi-factor authentication, access to a number of API endpoints was possible prior to successful authentication using the second factor.

Internal reference: MWB-1997
CWE: CWE-284: Improper Access Control
Discovery date: 2023-01-10

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.6-rev36 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N 5.9

Remediations

Vendor fix (2023-02-06)

We added permission checks to make sure all kind of API paths are restricted prior to being fully authenticated.

For products:

Acknowledgments

Threats

Exploit status

No publicly available exploits are known.

Impact

Attackers with access to victims credentials were able to perfom limited read operations on contacts and drive as well as modifying names of the multi-factor tokens.

Distribution lists allow discovering private contacts of other users (CVE-2023-24598)

Description

Editing distribution lists allows to add contacts from foreign accounts, where the attacker has no read access.

Internal reference: MWB-1995
CWE: CWE-639: Authorization Bypass Through User-Controlled Key
Discovery date: 2023-01-09

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.6-rev36 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 6.5

Remediations

Vendor fix (2023-02-06)

We improved permission checks when editing distribution lists to restrict access.

For products:

Acknowledgments

Threats

Exploit status

No publicly available exploits are known.

Impact

Attackers within the same context can discover fragments of contact information from folders without read access, including other users personal contact folders.

Header length does not get limited for external content (CVE-2023-24604)

Description

HTTP client requests initiated by App Suite middleware were not validating the lenght of HTTP headers.

Internal reference: MWB-1983
CWE: CWE-400: Uncontrolled Resource Consumption
Discovery date: 2023-01-03

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.6-rev36 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 4.3

Remediations

Vendor fix (2023-02-06)

We introduced a limitation for HTTP header length and reject processing if a threshold is hit.

For products:

Threats

Exploit status

No publicly available exploits are known.

Impact

In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of HTTP headers, the system could temporarily lock up processing those headers.

Size limits for external content are not considered for data transfer (CVE-2023-24603)

Description

HTTP client requests initiated by App Suite middleware were not stopping downloads for resources that exceed size limits.

Internal reference: MWB-1981
CWE: CWE-400: Uncontrolled Resource Consumption
Discovery date: 2023-01-03

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.6-rev36 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 4.3

Remediations

Vendor fix (2023-02-06)

We improved the limitation for content length and immediately stop downloading if a threshold is hit.

For products:

Threats

Exploit status

No publicly available exploits are known.

Impact

In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of data, it would be fully downloaded before applying size checks. While this could not be used to lock up the system, its a plausible amplification vector for denial of service attacks to other services.

Users can change arbitrary appointments by ID confusion (CVE-2023-24599)

Description

Appointments of other users could be changed without the appropriate autorization by sending conflicting object IDs within the same request.

Internal reference: MWB-1978
CWE: CWE-639: Authorization Bypass Through User-Controlled Key
Discovery date: 2023-01-01

Product status

Last affected
Products CVSS-Vector CVSS Base Score
OX App Suite backend 7.10.6-rev36 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L 7.1

Remediations

Vendor fix (2023-02-06)

We improved permission checks when updating appointments to restrict access.

For products:

Acknowledgments

Threats

Exploit status

No publicly available exploits are known.

Impact

Attackers within the same context can modify fragments of appointment information from folders without read access, including other users personal calendar folders.