[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] OXAS-ADV-2023-0001: OX App Suite Security Advisory
From: Martin Heiland via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2023-05-05 11:58:55
Message-ID: 1344815555.2009.1683287936119 () appsuite-guard ! open-xchange ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Dear subscribers,
We're sharing our latest advisory with you and like to thank everyone who contributed in \
finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX \
AppSuite, Dovecot and PowerDNS at YesWeHack.
This advisory has also been published at \
https://documentation.open-xchange.com/security/advisories/.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Internal reference: OXUIB-2130
Type: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev23
First fixed revision: OX App Suite frontend 7.10.6-rev24
Discovery date: 2023-01-03
Solution date: 2023-02-06
Disclosure date: 2023-05-05
Researcher credits: Tim Coen
CVE: CVE-2023-24597
CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)
Details:
Remote resources are loaded in print view. When E-Mail is flagged as Spam or if a user has \
enabled the feature as a default, remote content in E-Mail is not requested automatically to \
improve users privacy. However when printing a E-Mail, external content was loaded \
automatically without user consent.
Risk:
Malicious remote content in E-Mail, like tracking pixels, could be used to analyze user \
behaviour. No publicly available exploits are known.
Solution:
We now apply the same setting for loading external content when generating the E-Mail print \
content.
---
Internal reference: OXUIB-2034
Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev23
First fixed revision: OX App Suite frontend 7.10.6-rev24
Discovery date: 2022-11-02
Solution date: 2023-02-06
Disclosure date: 2023-05-05
CVE: CVE-2023-24601
CVSS: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
Details:
XSS with non-app deeplinks like "registry". The "registry" sub-tree of the jslob API is used to \
define which application modules and dependencies shall be loaded. Users were able to inject \
arbitrary references, including malicious code.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface and API. To exploit this an \
attacker would require temporary access to the users account or lure a user to a compromised \
account. No publicly available exploits are known.
Solution:
We made the relevant jslob path read-only for users.
---
Internal reference: OXUIB-2033
Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev23
First fixed revision: OX App Suite frontend 7.10.6-rev24
Discovery date: 2022-02-11
Solution date: 2023-02-06
Disclosure date: 2023-05-05
CVE: CVE-2023-24602
CVSS: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
Details:
XSS at Tumblr portal widget due to missing content sanitization. External content, like post \
titles, have been evaluated as HTML when adding Tumblr feeds to the portal page.
Risk:
Malicious script code can be executed within the victims context. This can lead to session \
hijacking or triggering unwanted actions via the web interface and API. To exploit this an \
attacker would require temporary access to the users account, compromise a Tumblr feed or make \
the victim include a malicious feed. No publicly available exploits are known.
Solution:
We now insert untrusted external content as plain-text.
---
Internal reference: MWB-1998
Type: CWE-284 (Improper Access Control)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev36
First fixed revision: OX App Suite backend 7.10.6-rev37
Discovery date: 2023-01-10
Solution date: 2023-02-06
Disclosure date: 2023-05-05
Researcher credits: Tim Coen
CVE: CVE-2023-24600
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Details:
"Read own/delete all" permissions allows moving other users contacts to own address book. \
Folder ACL combinations like "read own, delete all" were incorrectly applied and allowed that \
users could move objects which they were not expected to read.
Risk:
Moving objects to folders with read access effectively bypassed the "read own" restriction. No \
publicly available exploits are known.
Solution:
Permission checks have been updated and include checking for read permissions when performing \
move operations.
---
Internal reference: MWB-1997
Type: CWE-284 (Improper Access Control)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev36
First fixed revision: OX App Suite backend 7.10.6-rev37
Discovery date: 2023-01-10
Solution date: 2023-02-06
Disclosure date: 2023-05-05
Researcher credits: Tim Coen
CVE: CVE-2023-24605
CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N)
Details:
API access not fully restricted when requiring 2FA. When using the built-in multi-factor \
authentication, access to a number of API endpoints was possible prior to successful \
authentication using the second factor.
Risk:
Attackers with access to victims credentials were able to perfom limited read operations on \
contacts and drive as well as modifying names of the multi-factor tokens. No publicly available \
exploits are known.
Solution:
We added permission checks to make sure all kind of API paths are restricted prior to being \
fully authenticated.
---
Internal reference: MWB-1995
Type: CWE-639 (Authorization Bypass Through User-Controlled Key)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev36
First fixed revision: OX App Suite backend 7.10.6-rev37
Discovery date: 2023-01-09
Solution date: 2023-02-06
Disclosure date: 2023-05-05
Researcher credits: Tim Coen
CVE: CVE-2023-24598
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Details:
Distribution lists allow discovering private contacts of other users. Editing distribution \
lists allows to add contacts from foreign accounts, where the attacker has no read access.
Risk:
Attackers within the same context can discover fragments of contact information from folders \
without read access, including other users personal contact folders. No publicly available \
exploits are known.
Solution:
We improved permission checks when editing distribution lists to restrict access.
---
Internal reference: MWB-1983
Type: CWE-400 (Uncontrolled Resource Consumption)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev36
First fixed revision: OX App Suite backend 7.10.6-rev37
Discovery date: 2023-01-03
Solution date: 2023-02-06
Disclosure date: 2023-05-05
CVE: CVE-2023-24604
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Details:
Header length does not get limited for external content. HTTP client requests initiated by App \
Suite middleware were not validating the lenght of HTTP headers.
Risk:
In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of HTTP \
headers, the system could temporarily lock up processing those headers. No publicly available \
exploits are known.
Solution:
We introduced a limitation for HTTP header length and reject processing if a threshold is hit.
---
Internal reference: MWB-1981
Type: CWE-400 (Uncontrolled Resource Consumption)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev36
First fixed revision: OX App Suite backend 7.10.6-rev37
Discovery date: 2023-01-03
Solution date: 2023-02-06
Disclosure date: 2023-05-05
CVE: CVE-2023-24603
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Details:
Size limits for external content are not considered for data transfer. HTTP client requests \
initiated by App Suite middleware were not stopping downloads for resources that exceed size \
limits.
Risk:
In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of data, it \
would be fully downloaded before applying size checks. While this could not be used to lock up \
the system, its a plausible amplification vector for denial of service attacks to other \
services. No publicly available exploits are known.
Solution:
We improved the limitation for content length and immediately stop downloading if a threshold \
is hit.
---
Internal reference: MWB-1978
Type: CWE-639 (Authorization Bypass Through User-Controlled Key)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev36
First fixed revision: OX App Suite backend 7.10.6-rev37
Discovery date: 2023-01-01
Solution date: 2023-02-06
Disclosure date: 2023-05-05
Researcher credits: Tim Coen
CVE: CVE-2023-24599
CVSS: 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L)
Details:
Users can change arbitrary appointments by ID confusion. Appointments of other users could be \
changed without the appropriate autorization by sending conflicting object IDs within the same \
request.
Risk:
Attackers within the same context can modify fragments of appointment information from folders \
without read access, including other users personal calendar folders. No publicly available \
exploits are known.
Solution:
We improved permission checks when updating appointments to restrict access.
[Attachment #5 (application/pgp-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic