Headline
CVE-2022-43696: OX App Suite Security Advisory
OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.
Full Disclosure mailing list archives****OXAS-ADV-2022-0002: OX App Suite Security Advisory
From: Martin Heiland via Fulldisclosure <fulldisclosure () seclists org>
Date: Thu, 9 Feb 2023 08:40:01 +0000 (WET)
Dear subscribers,
we’re sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at YesWeHack.
A CSAF representation of this advisory has been published at https://documentation.open-xchange.com/security/advisories/.
Yours sincerely, Martin Heiland, Open-Xchange GmbH
Internal reference: OXUIB-1795 Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29 First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30 Discovery date: 2022-07-29 Solution date: 2022-10-21 Disclosure date: 2023-02-08 CVE: CVE-2022-37306 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Details: XSS using “upsell” triggers. Non-alphanumeric content can be injected by the user as JS content for the “upsell” module. As a result, the code will be executed during subsequent logins and opening the “Portal” application, enabling a persistent cross-site scripting attack vector.
Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.
Solution: We improved the allow-list sanitizing algorithm to deal with non-alphanumeric code.
Internal reference: OXUIB-1933 Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Last affected revision: OX App Suite frontend 7.10.5-rev38, OX App Suite frontend 7.10.6-rev19 First fixed revision: OX App Suite frontend 7.10.5-rev39, OX App Suite frontend 7.10.6-rev20 Discovery date: 2022-09-26 Solution date: 2022-10-21 Disclosure date: 2023-02-08 CVE: CVE-2022-43696 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Details: XSS using "upsell ads". HTML content can be injected by the user as JS content for the “upsell ads” module. As a result, the code will be executed during subsequent logins and opening the “Portal” application, enabling a persistent cross-site scripting attack vector.
Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.
Solution: We improved the sanitization process for upsell ads.
Internal reference: MWB-1784 Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29 First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30 Discovery date: 2022-08-16 Solution date: 2022-10-25 Disclosure date: 2023-02-08 CVE: CVE-2022-43697 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Details: “Tracking” features can be used to inject arbitrary script code. In case activity tracking adapters are enabled but not defined, users can use jslob to define own tracking settings for an account. This allows adding arbitrary values to trigger a specific URL or load a library.
Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.
Solution: We made the related jslob configuration endpoint read-only for users.
Internal reference: MWB-1823 Vulnerability type: CWE-918 (Server-Side Request Forgery (SSRF)) Component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29 First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30 Discovery date: 2022-09-14 Solution date: 2022-10-24 Disclosure date: 2023-02-08 CVE: CVE-2022-43698 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Details: SSRF using POP3 account updates. When changing a valid external POP3 mail account as a user, the operation to update the accounts settings did not consider deny-list values.
Risk: Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine “internal” addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. No publicly available exploits are known.
Solution: We now check compliance with existing deny-list content when updating POP3 mail accounts.
Internal reference: MWB-1862 Vulnerability type: CWE-918 (Server-Side Request Forgery (SSRF)) Component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29 First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30 Discovery date: 2022-10-06 Solution date: 2022-11-07 Disclosure date: 2023-02-08 CVE: CVE-2022-43699 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Details: Mail account discovery can be abused for SSRF. The external E-Mail autodiscovery feature performs connections checks based on the E-Mail addresses host-part. Those do not take existing deny-lists into respect, allowing attackers with access to DNS records of a domain to redirect requests to illegal addresses.
Risk: Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine “internal” addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. No publicly available exploits are known.
Solution: We check for compliance with existing deny-list content when performing mail account autodiscovery.
Internal reference: MWB-1882, DOCS-4580 Vulnerability type: CWE-94 (Improper Control of Generation of Code (‘Code Injection’)) Component: office Report confidence: Confirmed Solution status: Fixed by Vendor Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29, OX App Suite office 7.10.5-rev10, OX App Suite office 7.10.6-rev5 First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30, OX App Suite office 7.10.5-rev11, OX App Suite office 7.10.6-rev6 Discovery date: 2022-10-19 Solution date: 2022-10-21 Disclosure date: 2023-02-08 CVE: CVE-2022-42889 CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Details: Apache Commons Text Update. A critical vulnerability at the Apache Commons Text library has been identified, which is used by OX App Suite and OX Documents. However, our products do not directly use the vulnerable StringSubstitutor class. Based on current knowledge that means our products are not vulnerable.
Risk: Remote Code Execution, see CVE-2022-42889. No publicly available exploits are known.
Solution: We provided a update for this library to resolve the risk as a precaution, in case custom implementations use the vulnerable class. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- OXAS-ADV-2022-0002: OX App Suite Security Advisory Martin Heiland via Fulldisclosure (Feb 14)
Related news
Red Hat Security Advisory 2024-3527-03 - Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal. Issues addressed include buffer overflow, denial of service, integer overflow, memory leak, and resource exhaustion vulnerabilities.
This Metasploit module exploit takes advantage of the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to remote code execution. This is due to a logic flaw that makes the script, dns and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups primarily using the script key. In order to exploit the vulnerabilities, the following requirements must be met: Run a version of Apache Commons Text from version 1.5 to 1.9, use the StringSubstitutor interpolator, and the target should run JDK versions prior to 15.
Red Hat Security Advisory 2023-3299-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, cross site scripting, denial of service, deserialization, improper authorization, and information leakage vulnerabilities.
Red Hat Security Advisory 2023-3195-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, cross site scripting, information leakage, and insecure permissions vulnerabilities.
Red Hat Security Advisory 2023-3198-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, deserialization, information leakage, and insecure permissions vulnerabilities.
Sensitive information exposure in the Web Frontend of KNIME Business Hub until 1.X allows an unauthenticated attacker to extract information about the system. By making a request to a non-existent URL the system will sensitive information to the caller such as internal IP addresses, hostnames, Istio metadata, internal file paths and more. The problem is fixed in KNIME Business Hub 1.xxx. There is no workaround for previous versions.
Red Hat Security Advisory 2023-1866-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.58. Issues addressed include a cross site scripting vulnerability.
OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger.
Red Hat Security Advisory 2023-1655-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.56. Issues addressed include bypass, cross site scripting, information leakage, insecure permissions, and privilege escalation vulnerabilities.
Red Hat OpenShift Container Platform release 4.10.56 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3172: A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This issue leads to the client performing unexpected acti...
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1471: A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE). * CVE-2022-3171: A parsing issue with binary data in protobuf-java core an...
OX App Suite suffers from cross site scripting and server-side request forgery vulnerabilities.
OX App Suite suffers from cross site scripting and server-side request forgery vulnerabilities.
OX App Suite suffers from cross site scripting and server-side request forgery vulnerabilities.
OX App Suite suffers from cross site scripting and server-side request forgery vulnerabilities.
OX App Suite suffers from cross site scripting and server-side request forgery vulnerabilities.
OX App Suite suffers from cross site scripting and server-side request forgery vulnerabilities.
SQL Injection vulnerability in Talend ESB Runtime 7.3.1-R2022-09-RT thru 8.0.1-R2022-10-RT when using the provisioning service.
Red Hat Security Advisory 2023-0469-01 - Red Hat Integration Camel Extensions for Quarkus 2.13.2 is now available. Issues addressed include denial of service and memory exhaustion vulnerabilities.
Gentoo Linux Security Advisory 202301-5 - A vulnerability has been discovered in Apache Commons Text which could result in arbitrary code execution. Versions less than 1.10.0 are affected.
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3171: protobuf-java: timeout in parser leads to DoS * CVE-2022-4116: quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE * CVE-2022-4147: quarkus-vertx-http: Security misconfiguration of CORS : OWASP A05_2021 level in Quarkus * CVE-2022-31197: postgresql: SQL Injection in ResultSet.refreshRow() with mal...
A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Analytics Platform 3.2.0 and above can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is wrong because an error is being reported but only after the files have already been written. This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the user. In all cases the attacker has to know the location of files on the user's system, though.
There's nothing yet to suggest CVE-2022-42889 is the next Log4j. But proof-of-concept code is available, and interest appears to be ticking up.
In affected Ops Manager versions there is an exposed http route was that may allow attackers to view a specific access log of a publicly exposed Ops Manager instance. This issue affects: MongoDB Inc. MongoDB Ops Manager 4.0 versions 4.0.9, 4.0.10 and MongoDB Ops Manager 4.1 version 4.1.5.