Dear subscribers, We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at YesWeHack. This advisory has also been published at https://documentation.open-xchange.com/security/advisories/. Yours sincerely, Martin Heiland, Open-Xchange GmbH Internal reference: OXUIB-2130 Type: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.6-rev23 First fixed revision: OX App Suite frontend 7.10.6-rev24 Discovery date: 2023-01-03 Solution date: 2023-02-06 Disclosure date: 2023-05-05 Researcher credits: Tim Coen CVE: CVE-2023-24597 CVSS: 4.2 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N) Details: Remote resources are loaded in print view. When E-Mail is flagged as Spam or if a user has enabled the feature as a default, remote content in E-Mail is not requested automatically to improve users privacy. However when printing a E-Mail, external content was loaded automatically without user consent. Risk: Malicious remote content in E-Mail, like tracking pixels, could be used to analyze user behaviour. No publicly available exploits are known. Solution: We now apply the same setting for loading external content when generating the E-Mail print content. --- Internal reference: OXUIB-2034 Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.6-rev23 First fixed revision: OX App Suite frontend 7.10.6-rev24 Discovery date: 2022-11-02 Solution date: 2023-02-06 Disclosure date: 2023-05-05 CVE: CVE-2023-24601 CVSS: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) Details: XSS with non-app deeplinks like "registry". The "registry" sub-tree of the jslob API is used to define which application modules and dependencies shall be loaded. Users were able to inject arbitrary references, including malicious code. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known. Solution: We made the relevant jslob path read-only for users. --- Internal reference: OXUIB-2033 Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.6-rev23 First fixed revision: OX App Suite frontend 7.10.6-rev24 Discovery date: 2022-02-11 Solution date: 2023-02-06 Disclosure date: 2023-05-05 CVE: CVE-2023-24602 CVSS: 4.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) Details: XSS at Tumblr portal widget due to missing content sanitization. External content, like post titles, have been evaluated as HTML when adding Tumblr feeds to the portal page. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account, compromise a Tumblr feed or make the victim include a malicious feed. No publicly available exploits are known. Solution: We now insert untrusted external content as plain-text. --- Internal reference: MWB-1998 Type: CWE-284 (Improper Access Control) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.6-rev36 First fixed revision: OX App Suite backend 7.10.6-rev37 Discovery date: 2023-01-10 Solution date: 2023-02-06 Disclosure date: 2023-05-05 Researcher credits: Tim Coen CVE: CVE-2023-24600 CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Details: "Read own/delete all" permissions allows moving other users contacts to own address book. Folder ACL combinations like "read own, delete all" were incorrectly applied and allowed that users could move objects which they were not expected to read. Risk: Moving objects to folders with read access effectively bypassed the "read own" restriction. No publicly available exploits are known. Solution: Permission checks have been updated and include checking for read permissions when performing move operations. --- Internal reference: MWB-1997 Type: CWE-284 (Improper Access Control) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.6-rev36 First fixed revision: OX App Suite backend 7.10.6-rev37 Discovery date: 2023-01-10 Solution date: 2023-02-06 Disclosure date: 2023-05-05 Researcher credits: Tim Coen CVE: CVE-2023-24605 CVSS: 5.9 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N) Details: API access not fully restricted when requiring 2FA. When using the built-in multi-factor authentication, access to a number of API endpoints was possible prior to successful authentication using the second factor. Risk: Attackers with access to victims credentials were able to perfom limited read operations on contacts and drive as well as modifying names of the multi-factor tokens. No publicly available exploits are known. Solution: We added permission checks to make sure all kind of API paths are restricted prior to being fully authenticated. --- Internal reference: MWB-1995 Type: CWE-639 (Authorization Bypass Through User-Controlled Key) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.6-rev36 First fixed revision: OX App Suite backend 7.10.6-rev37 Discovery date: 2023-01-09 Solution date: 2023-02-06 Disclosure date: 2023-05-05 Researcher credits: Tim Coen CVE: CVE-2023-24598 CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) Details: Distribution lists allow discovering private contacts of other users. Editing distribution lists allows to add contacts from foreign accounts, where the attacker has no read access. Risk: Attackers within the same context can discover fragments of contact information from folders without read access, including other users personal contact folders. No publicly available exploits are known. Solution: We improved permission checks when editing distribution lists to restrict access. --- Internal reference: MWB-1983 Type: CWE-400 (Uncontrolled Resource Consumption) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.6-rev36 First fixed revision: OX App Suite backend 7.10.6-rev37 Discovery date: 2023-01-03 Solution date: 2023-02-06 Disclosure date: 2023-05-05 CVE: CVE-2023-24604 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) Details: Header length does not get limited for external content. HTTP client requests initiated by App Suite middleware were not validating the lenght of HTTP headers. Risk: In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of HTTP headers, the system could temporarily lock up processing those headers. No publicly available exploits are known. Solution: We introduced a limitation for HTTP header length and reject processing if a threshold is hit. --- Internal reference: MWB-1981 Type: CWE-400 (Uncontrolled Resource Consumption) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.6-rev36 First fixed revision: OX App Suite backend 7.10.6-rev37 Discovery date: 2023-01-03 Solution date: 2023-02-06 Disclosure date: 2023-05-05 CVE: CVE-2023-24603 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) Details: Size limits for external content are not considered for data transfer. HTTP client requests initiated by App Suite middleware were not stopping downloads for resources that exceed size limits. Risk: In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of data, it would be fully downloaded before applying size checks. While this could not be used to lock up the system, its a plausible amplification vector for denial of service attacks to other services. No publicly available exploits are known. Solution: We improved the limitation for content length and immediately stop downloading if a threshold is hit. --- Internal reference: MWB-1978 Type: CWE-639 (Authorization Bypass Through User-Controlled Key) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.6-rev36 First fixed revision: OX App Suite backend 7.10.6-rev37 Discovery date: 2023-01-01 Solution date: 2023-02-06 Disclosure date: 2023-05-05 Researcher credits: Tim Coen CVE: CVE-2023-24599 CVSS: 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L) Details: Users can change arbitrary appointments by ID confusion. Appointments of other users could be changed without the appropriate autorization by sending conflicting object IDs within the same request. Risk: Attackers within the same context can modify fragments of appointment information from folders without read access, including other users personal calendar folders. No publicly available exploits are known. Solution: We improved permission checks when updating appointments to restrict access.
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/