[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] OXAS-ADV-2022-0002: OX App Suite Security Advisory
From: Martin Heiland via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2023-02-09 8:40:01
Message-ID: 1156189076.771.1675932001684 () appsuite-dev ! open-xchange ! com
[Download RAW message or body]
Dear subscribers,
we're sharing our latest advisory with you and like to thank everyone who contributed in \
finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX \
AppSuite, Dovecot and PowerDNS at YesWeHack.
A CSAF representation of this advisory has been published at \
https://documentation.open-xchange.com/security/advisories/.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Internal reference: OXUIB-1795
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page \
(Basic XSS))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30
Discovery date: 2022-07-29
Solution date: 2022-10-21
Disclosure date: 2023-02-08
CVE: CVE-2022-37306
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Details:
XSS using "upsell" triggers. Non-alphanumeric content can be injected by the user as JS content \
for the "upsell" module. As a result, the code will be executed during subsequent logins and \
opening the "Portal" application, enabling a persistent cross-site scripting attack vector.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require temporary access to the users \
account or lure a user to a compromised account. No publicly available exploits are known.
Solution:
We improved the allow-list sanitizing algorithm to deal with non-alphanumeric code.
---
Internal reference: OXUIB-1933
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page \
(Basic XSS))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Last affected revision: OX App Suite frontend 7.10.5-rev38, OX App Suite frontend 7.10.6-rev19
First fixed revision: OX App Suite frontend 7.10.5-rev39, OX App Suite frontend 7.10.6-rev20
Discovery date: 2022-09-26
Solution date: 2022-10-21
Disclosure date: 2023-02-08
CVE: CVE-2022-43696
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Details:
XSS using "upsell ads". HTML content can be injected by the user as JS content for the "upsell \
ads" module. As a result, the code will be executed during subsequent logins and opening the \
"Portal" application, enabling a persistent cross-site scripting attack vector.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require temporary access to the users \
account or lure a user to a compromised account. No publicly available exploits are known.
Solution:
We improved the sanitization process for upsell ads.
---
Internal reference: MWB-1784
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page \
(Basic XSS))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30
Discovery date: 2022-08-16
Solution date: 2022-10-25
Disclosure date: 2023-02-08
CVE: CVE-2022-43697
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Details:
"Tracking" features can be used to inject arbitrary script code. In case activity tracking \
adapters are enabled but not defined, users can use jslob to define own tracking settings for \
an account. This allows adding arbitrary values to trigger a specific URL or load a library.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a \
third-party site). To exploit this an attacker would require temporary access to the users \
account or lure a user to a compromised account. No publicly available exploits are known.
Solution:
We made the related jslob configuration endpoint read-only for users.
---
Internal reference: MWB-1823
Vulnerability type: CWE-918 (Server-Side Request Forgery (SSRF))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30
Discovery date: 2022-09-14
Solution date: 2022-10-24
Disclosure date: 2023-02-08
CVE: CVE-2022-43698
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Details:
SSRF using POP3 account updates. When changing a valid external POP3 mail account as a user, \
the operation to update the accounts settings did not consider deny-list values.
Risk:
Server-initiated requests can be directed to internal resources that are restricted based on \
deny-list settings. This can be used to determine "internal" addresses and services, depending \
on measurement and content of error responses. While no data of such services can be \
exfiltrated, the risk is a violation of perimeter based security policies. No publicly \
available exploits are known.
Solution:
We now check compliance with existing deny-list content when updating POP3 mail accounts.
---
Internal reference: MWB-1862
Vulnerability type: CWE-918 (Server-Side Request Forgery (SSRF))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30
Discovery date: 2022-10-06
Solution date: 2022-11-07
Disclosure date: 2023-02-08
CVE: CVE-2022-43699
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Details:
Mail account discovery can be abused for SSRF. The external E-Mail autodiscovery feature \
performs connections checks based on the E-Mail addresses host-part. Those do not take existing \
deny-lists into respect, allowing attackers with access to DNS records of a domain to redirect \
requests to illegal addresses.
Risk:
Server-initiated requests can be directed to internal resources that are restricted based on \
deny-list settings. This can be used to determine "internal" addresses and services, depending \
on measurement and content of error responses. While no data of such services can be \
exfiltrated, the risk is a violation of perimeter based security policies. No publicly \
available exploits are known.
Solution:
We check for compliance with existing deny-list content when performing mail account \
autodiscovery.
---
Internal reference: MWB-1882, DOCS-4580
Vulnerability type: CWE-94 (Improper Control of Generation of Code ('Code Injection'))
Component: office
Report confidence: Confirmed
Solution status: Fixed by Vendor
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29, \
OX App Suite office 7.10.5-rev10, OX App Suite office 7.10.6-rev5 First fixed revision: OX App \
Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30, OX App Suite office \
7.10.5-rev11, OX App Suite office 7.10.6-rev6 Discovery date: 2022-10-19
Solution date: 2022-10-21
Disclosure date: 2023-02-08
CVE: CVE-2022-42889
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Details:
Apache Commons Text Update. A critical vulnerability at the Apache Commons Text library has \
been identified, which is used by OX App Suite and OX Documents. However, our products do not \
directly use the vulnerable StringSubstitutor class. Based on current knowledge that means our \
products are not vulnerable.
Risk:
Remote Code Execution, see CVE-2022-42889. No publicly available exploits are known.
Solution:
We provided a update for this library to resolve the risk as a precaution, in case custom \
implementations use the vulnerable class. _______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic