[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] OXAS-ADV-2024-0001: OX App Suite Security Advisory
From:       Martin Heiland via Fulldisclosure <fulldisclosure () seclists ! org>
Date:       2024-04-08 10:09:26
Message-ID: 2038854648.139.1712570966860 () asd-stable-core-mw-groupware-1 ! asd-stable-core-mw-hazelcast-headless ! asd-stable ! svc ! cluster ! local
[Download RAW message or body]

[Attachment #2 (multipart/signed)]


Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who contributed in \
finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App \
Suite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at \
https://documentation.open-xchange.com/appsuite/security/advisories/html/2024/oxas-adv-2024-0001.html.


Yours sincerely,
Martin Heiland, Open-Xchange GmbH



Internal reference: OXUIB-2660
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site \
                Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40, OX App Suite frontend 8.20
First fixed revision: OX App Suite frontend 7.10.6-rev41, OX App Suite frontend 8.21
Discovery date: 2023-12-13
Solution date: 2024-02-05
Disclosure date: 2024-02-08
CVE: CVE-2024-23192
CVSS: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Details:
XSS for RSS content using data-attributes. RSS feeds that contain malicious data- attributes \
could be abused to inject script code to a users browser session when reading compromised RSS \
feeds or successfully luring users to compromised accounts.

Risk:
Attackers could perform malicious API requests or extract information from the users account. \
No publicly available exploits are known.

Solution:
Please deploy the provided updates and patch releases. Potentially malicious attributes now get \
removed from external RSS content.



---



Internal reference: OXUIB-2663
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site \
                Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40
First fixed revision: OX App Suite frontend 7.10.6-rev41
Discovery date: 2023-12-13
Solution date: 2024-02-02
Disclosure date: 2024-02-08
CVE: CVE-2024-23191
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Details:
XSS using data- attributes at upsell ads. Upsell advertisement information of an account can be \
manipulated to execute script code in the context of the users browser session. To exploit this \
an attacker would require temporary access to a users account or an successful social \
engineering attack to lure users to maliciously configured accounts.

Risk:
Attackers could perform malicious API requests or extract information from the users account. \
No publicly available exploits are known.

Solution:
Please deploy the provided updates and patch releases. Sanitization of user-defined upsell \
content has been improved.



---



Internal reference: OXUIB-2688
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site \
                Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40
First fixed revision: OX App Suite frontend 7.10.6-rev41
Discovery date: 2024-01-09
Solution date: 2024-02-02
Disclosure date: 2024-02-08
CVE: CVE-2024-23190
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Details:
XSS using "data" attributes at upsell shop. Upsell shop information of an account can be \
manipulated to execute script code in the context of the users browser session. To exploit this \
an attacker would require temporary access to a users account or an successful social \
engineering attack to lure users to maliciously configured accounts.

Risk:
Attackers could perform malicious API requests or extract information from the users account. \
No publicly available exploits are known.

Solution:
Please deploy the provided updates and patch releases. Sanitization of user-defined upsell \
content has been improved.



---



Internal reference: OXUIB-2689
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site \
                Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40, OX App Suite frontend 8.21
First fixed revision: OX App Suite frontend 7.10.6-rev41, OX App Suite frontend 8.22
Discovery date: 2024-01-09
Solution date: 2024-02-01
Disclosure date: 2024-02-08
CVE: CVE-2024-23189
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Details:
XSS using tasks "original mail" references. Embedded content references at tasks could be used \
to temporarily execute script code in the context of the users browser session. To exploit this \
an attacker would require temporary access to the users account, access to another account \
within the same context or an successful social engineering attack to make users import \
external content.

Risk:
Attackers could perform malicious API requests or extract information from the users account. \
No publicly available exploits are known.

Solution:
Please deploy the provided updates and patch releases. Sanitization of user-generated content \
has been improved.



---



Internal reference: DOCS-5222
Type: CWE-502 (Deserialization of Untrusted Data)
Component: office
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite office 7.10.6-rev11
First fixed revision: OX App Suite office 7.10.6-rev12
Discovery date: 2024-01-24
Solution date: 2024-02-06
Disclosure date: 2024-02-08
CVE: CVE-2023-46604
CVSS: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H)

Details:
CVE-2023-46604 regarding office/dcs. CVE-2023-46604 has been identified at the Apache ActiveMQ \
(AMQ) project which affects a version of that component shipped by OX App Suite components.

Risk:
The vulnerability in AMQ can potentially be exploited in OX App Suite deployments, depending on \
network topology and configuration. No publicly available exploits are known.

Solution:
Please deploy the provided updates and patch releases. We provide an updated version of the \
affected component that is not vulnerable.


[Attachment #5 (application/pgp-signature)]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic