[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] OXAS-ADV-2024-0002: OX App Suite Security Advisory

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] OXAS-ADV-2024-0002: OX App Suite Security Advisory
From: Martin Heiland via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Mon, 6 May 2024 09:20:46 +0200 (CEST)

Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who
contributed in finding and solving those vulnerabilities. Feel free to join our
bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at
https://documentation.open-xchange.com/appsuite/security/advisories/html/2024/oxas-adv-2024-0002.html.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH

Internal reference: MWB-2471
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting'))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 8.21
First fixed revision: OX App Suite backend 8.22
Discovery date: 2024-01-29
Solution date: 2024-03-04
CVE: CVE-2024-23187
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Details:
XSS by abusing CID replacement. Content-ID based embedding of resources in
E-Mails could be abused to trigger client-side script code when using the "show
more" option.

Risk:
Attackers could perform malicious API requests or extract information from the
users account. Exploiting the vulnerability requires user interaction. No
publicly available exploits are known.

Solution:
Please deploy the provided updates and patch releases. CID replacement has been
hardened to omit invalid identifiers.

---

Internal reference: OXUIB-2735
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 8.21
First fixed revision: OX App Suite frontend 8.22
Discovery date: 2024-02-13
Solution date: 2024-03-04
CVE: CVE-2024-23186
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Details:
XSS with mail displayname in mobile view. E-Mail containing malicious
display-name information could trigger client-side script execution when using
specific mobile devices.

Risk:
Attackers could perform malicious API requests or extract information from the
users account. No publicly available exploits are known.

Solution:
Please deploy the provided updates and patch releases. We now use safer methods
of handling external content when embedding displayname information to the web
interface.

---

Internal reference: OXUIB-2695
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 8.21
First fixed revision: OX App Suite frontend 8.22
Discovery date: 2024-01-10
Solution date: 2024-03-04
CVE: CVE-2024-23188
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Details:
XSS using mail attachment file names. Maliciously crafted E-Mail attachment
names could be used to temporarily execute script code in the context of the
users browser session. Common user interaction is required for the
vulnerability to trigger.

Risk:
Attackers could perform malicious API requests or extract information from the
users account. No publicly available exploits are known.

Solution:
Please deploy the provided updates and patch releases. We now use safer methods
of handling external content when embedding attachment information to the web
interface.

---

Internal reference: DOCS-5199
Type: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
Component: office
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite office 8.21
First fixed revision: OX App Suite office 8.22
Discovery date: 2024-01-10
Solution date: 2024-02-09
CVE: CVE-2024-23193
CVSS: 5.3 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

Details:
Documentconverter allows access to other user exported PDF files. E-Mails
exported as PDF were stored in a cache that did not consider specific session
information for the related user account.

Risk:
Users of the same service node could access other users E-Mails in case they
were exported as PDF for a brief moment until caches were cleared. Successful
exploitation requires good timing and modification of multiple request
parameters. No publicly available exploits are known.

Solution:
Please deploy the provided updates and patch releases. The cache for PDF
exports now takes user session information into consideration when performing
authorization decisions.

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] Microsoft PlayReady toolkit - codes release
Next by Date: [FD] secuvera-SA-2024-02: Multiple Persistent Cross-Site Scritping (XSS) flaws in Drupal-Wiki
Previous by thread: [FD] Microsoft PlayReady toolkit - codes release
Next by thread: [FD] secuvera-SA-2024-02: Multiple Persistent Cross-Site Scritping (XSS) flaws in Drupal-Wiki
Index(es):
- Date
- Thread