Dear subscribers,
We're sharing our latest advisory with you and like to thank everyone who
contributed in finding and solving those vulnerabilities. Feel free to join our
bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack.
This advisory has also been published at
https://documentation.open-xchange.com/appsuite/security/advisories/html/2024/oxas-adv-2024-0001.html.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Internal reference: OXUIB-2660
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40, OX App Suite
frontend 8.20
First fixed revision: OX App Suite frontend 7.10.6-rev41, OX App Suite frontend
8.21
Discovery date: 2023-12-13
Solution date: 2024-02-05
Disclosure date: 2024-02-08
CVE: CVE-2024-23192
CVSS: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Details:
XSS for RSS content using data-attributes. RSS feeds that contain malicious
data- attributes could be abused to inject script code to a users browser
session when reading compromised RSS feeds or successfully luring users to
compromised accounts.
Risk:
Attackers could perform malicious API requests or extract information from the
users account. No publicly available exploits are known.
Solution:
Please deploy the provided updates and patch releases. Potentially malicious
attributes now get removed from external RSS content.
---
Internal reference: OXUIB-2663
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40
First fixed revision: OX App Suite frontend 7.10.6-rev41
Discovery date: 2023-12-13
Solution date: 2024-02-02
Disclosure date: 2024-02-08
CVE: CVE-2024-23191
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Details:
XSS using data- attributes at upsell ads. Upsell advertisement information of
an account can be manipulated to execute script code in the context of the
users browser session. To exploit this an attacker would require temporary
access to a users account or an successful social engineering attack to lure
users to maliciously configured accounts.
Risk:
Attackers could perform malicious API requests or extract information from the
users account. No publicly available exploits are known.
Solution:
Please deploy the provided updates and patch releases. Sanitization of
user-defined upsell content has been improved.
---
Internal reference: OXUIB-2688
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40
First fixed revision: OX App Suite frontend 7.10.6-rev41
Discovery date: 2024-01-09
Solution date: 2024-02-02
Disclosure date: 2024-02-08
CVE: CVE-2024-23190
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Details:
XSS using "data" attributes at upsell shop. Upsell shop information of an
account can be manipulated to execute script code in the context of the users
browser session. To exploit this an attacker would require temporary access to
a users account or an successful social engineering attack to lure users to
maliciously configured accounts.
Risk:
Attackers could perform malicious API requests or extract information from the
users account. No publicly available exploits are known.
Solution:
Please deploy the provided updates and patch releases. Sanitization of
user-defined upsell content has been improved.
---
Internal reference: OXUIB-2689
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40, OX App Suite
frontend 8.21
First fixed revision: OX App Suite frontend 7.10.6-rev41, OX App Suite frontend
8.22
Discovery date: 2024-01-09
Solution date: 2024-02-01
Disclosure date: 2024-02-08
CVE: CVE-2024-23189
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Details:
XSS using tasks "original mail" references. Embedded content references at
tasks could be used to temporarily execute script code in the context of the
users browser session. To exploit this an attacker would require temporary
access to the users account, access to another account within the same context
or an successful social engineering attack to make users import external
content.
Risk:
Attackers could perform malicious API requests or extract information from the
users account. No publicly available exploits are known.
Solution:
Please deploy the provided updates and patch releases. Sanitization of
user-generated content has been improved.
---
Internal reference: DOCS-5222
Type: CWE-502 (Deserialization of Untrusted Data)
Component: office
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite office 7.10.6-rev11
First fixed revision: OX App Suite office 7.10.6-rev12
Discovery date: 2024-01-24
Solution date: 2024-02-06
Disclosure date: 2024-02-08
CVE: CVE-2023-46604
CVSS: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H)
Details:
CVE-2023-46604 regarding office/dcs. CVE-2023-46604 has been identified at the
Apache ActiveMQ (AMQ) project which affects a version of that component shipped
by OX App Suite components.
Risk:
The vulnerability in AMQ can potentially be exploited in OX App Suite
deployments, depending on network topology and configuration. No publicly
available exploits are known.
Solution:
Please deploy the provided updates and patch releases. We provide an updated
version of the affected component that is not vulnerable.
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/