Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite Vendor: OX Software GmbH Internal reference: MWB-1540 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 8.2 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.324 Vendor notification: 2022-03-30 Solution date: 2022-06-10 Public disclosure: 2022-09-01 CVE reference: CVE-2022-29852 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: The output filter mechanism for binary data can be confused by using unknown media-types. Some valid image formats were not part of our deny-list that handles potentially harmful content. Attackers can generate, upload and share malicious JS code, disguised as the BMFreehand10 or image/x-freehand image file format. This format is not detected and therefore no download gets enforced. Some browsers may attempt to render its content "inline". Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink. Solution: We improved content detection to include previously unknown media-types. --- Internal reference: MWB-1572 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 8.2 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.0 Vendor notification: 2022-04-20 Solution date: 2022-06-10 Public disclosure: 2022-09-01 CVE reference: CVE-2022-29853 CVSS: 4.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: Malicious HTML content at E-Mail can be abused to bypass existing content sanitization mechanisms. In this case an attacker adds junk code to force the "Show entire message" feature for huge HTML mails to generate malicious output. This involves a complex hierarchy of HTML elements and event handlers that confuse existing sanitization logic. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink. Solution: We improved detection and handling of such huge HTML blocks to make sure no malicious content is returned to the client. --- Internal reference: MWB-1602 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 8.2 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.0 Vendor notification: 2022-04-20 Solution date: 2022-06-10 Public disclosure: 2022-09-01 CVE reference: CVE-2022-31468 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Content stored in attachments or OX Drive content can be requested by the client using "len" and "off" parameters. Malicious HTML content is filtered however this filter does not apply to all kind of HTML tags and allows to extract malicious code using the mentioned parameters. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink. Solution: We improved detection and handling of malicious HTML content that is requested via offset and length parameters. --- Internal reference: DOCS-4428 Vulnerability type: OS Command Injection (CWE-78) Vulnerable version: 7.10.6 and earlier Vulnerable component: documentconverter Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev5, 7.10.6-rev5 Vendor notification: 2022-04-19 Solution date: 2022-06-10 Public disclosure: 2022-09-01 CVE reference: CVE-2022-29851 CVSS: 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N) Vulnerability Details: In case an instance running documentconverter (readerengine) has non-default ghostscript (gs) utility installed, it may get invoked when converting EPS files that are disguised as PDF files. Ghostscript suffers from a range of vulnerabilities, some of which could be exploited via readerengine. While most are non-deterministic and cannot be used to inflict relevant damage, few may be used to execute code fragments, embedded in EPS files, on the target instance. Risk: Unauthorized code may be executed with persmissions of the "open-xchange" user on readerengine instances if additional software packages like gs are installed. We urge customers to apply best-practice system hardening, which includes removal of unused components. Solution: We removed a fallback to use external commands for processing EPS and other file formats.
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/