Headline
OX App Suite 7.10.6 Cross Site Scripting / Deserialization Issue
OX App Suite version 7.10.6 suffers from cross site scripting and deserialization vulnerabilities.
Dear subscribers,
We’re sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack.
This advisory has also been published at https://documentation.open-xchange.com/appsuite/security/advisories/html/2024/oxas-adv-2024-0001.html.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Internal reference: OXUIB-2660
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40, OX App Suite frontend 8.20
First fixed revision: OX App Suite frontend 7.10.6-rev41, OX App Suite frontend 8.21
Discovery date: 2023-12-13
Solution date: 2024-02-05
Disclosure date: 2024-02-08
CVE: CVE-2024-23192
CVSS: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Details:
XSS for RSS content using data-attributes. RSS feeds that contain malicious data- attributes could be abused to inject script code to a users browser session when reading compromised RSS feeds or successfully luring users to compromised accounts.
Risk:
Attackers could perform malicious API requests or extract information from the users account. No publicly available exploits are known.
Solution:
Please deploy the provided updates and patch releases. Potentially malicious attributes now get removed from external RSS content.
Internal reference: OXUIB-2663
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40
First fixed revision: OX App Suite frontend 7.10.6-rev41
Discovery date: 2023-12-13
Solution date: 2024-02-02
Disclosure date: 2024-02-08
CVE: CVE-2024-23191
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Details:
XSS using data- attributes at upsell ads. Upsell advertisement information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts.
Risk:
Attackers could perform malicious API requests or extract information from the users account. No publicly available exploits are known.
Solution:
Please deploy the provided updates and patch releases. Sanitization of user-defined upsell content has been improved.
Internal reference: OXUIB-2688
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40
First fixed revision: OX App Suite frontend 7.10.6-rev41
Discovery date: 2024-01-09
Solution date: 2024-02-02
Disclosure date: 2024-02-08
CVE: CVE-2024-23190
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Details:
XSS using “data” attributes at upsell shop. Upsell shop information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts.
Risk:
Attackers could perform malicious API requests or extract information from the users account. No publicly available exploits are known.
Solution:
Please deploy the provided updates and patch releases. Sanitization of user-defined upsell content has been improved.
Internal reference: OXUIB-2689
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40, OX App Suite frontend 8.21
First fixed revision: OX App Suite frontend 7.10.6-rev41, OX App Suite frontend 8.22
Discovery date: 2024-01-09
Solution date: 2024-02-01
Disclosure date: 2024-02-08
CVE: CVE-2024-23189
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Details:
XSS using tasks “original mail” references. Embedded content references at tasks could be used to temporarily execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to the users account, access to another account within the same context or an successful social engineering attack to make users import external content.
Risk:
Attackers could perform malicious API requests or extract information from the users account. No publicly available exploits are known.
Solution:
Please deploy the provided updates and patch releases. Sanitization of user-generated content has been improved.
Internal reference: DOCS-5222
Type: CWE-502 (Deserialization of Untrusted Data)
Component: office
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite office 7.10.6-rev11
First fixed revision: OX App Suite office 7.10.6-rev12
Discovery date: 2024-01-24
Solution date: 2024-02-06
Disclosure date: 2024-02-08
CVE: CVE-2023-46604
CVSS: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H)
Details:
CVE-2023-46604 regarding office/dcs. CVE-2023-46604 has been identified at the Apache ActiveMQ (AMQ) project which affects a version of that component shipped by OX App Suite components.
Risk:
The vulnerability in AMQ can potentially be exploited in OX App Suite deployments, depending on network topology and configuration. No publicly available exploits are known.
Solution:
Please deploy the provided updates and patch releases. We provide an updated version of the affected component that is not vulnerable.
Related news
Debian Linux Security Advisory 5798-1 - Christoper L. Shannon discovered that the implementation of the OpenWire protocol in Apache ActiveMQ was susceptible to the execution of arbitrary code.
Ubuntu Security Notice 6910-1 - Chess Hazlett discovered that Apache ActiveMQ incorrectly handled certain commands. A remote attacker could possibly use this issue to terminate the program, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. Peter Stoeckli discovered that Apache ActiveMQ incorrectly handled hostname verification. A remote attacker could possibly use this issue to perform a person-in-the-middle attack. This issue only affected Ubuntu 16.04 LTS.
An RCE vulnerability that affects the Web scripting language on Windows systems is easy to exploit and can provide a broad attack surface.
Cybersecurity researchers are warning of a "notable increase" in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts. "The web shells are concealed within an unknown binary format and are designed to evade security and signature-based scanners," Trustwave said. "Notably, despite the binary's unknown file
By Deeba Ahmed The ActiveMQ flaw has been patched, but despite this, numerous threat actors continue to exploit it. This is a post from HackRead.com Read the original post: Cybercriminals Exploit ActiveMQ Flaw to Spread GoTitan Botnet, PrCtrl Rat
The recently disclosed critical security flaw impacting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called GoTitan as well as a .NET program known as PrCtrl Rat that's capable of remotely commandeering the infected hosts. The attacks involve the exploitation of a remote code execution bug (CVE-2023-46604, CVSS score: 10.0) that has been
By Deeba Ahmed Patches for all affected versions of Apache ActiveMQ have been released, and clients are strongly advised to upgrade their systems. This is a post from HackRead.com Read the original post: Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw
The Kinsing threat actors are actively exploiting a critical security flaw in vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits. "Once Kinsing infects a system, it deploys a cryptocurrency mining script that exploits the host's resources to mine cryptocurrencies like Bitcoin, resulting in significant damage to the infrastructure and a negative
Cybersecurity researchers have demonstrated a new technique that exploits a critical security flaw in Apache ActiveMQ to achieve arbitrary code execution in memory. Tracked as CVE-2023-46604 (CVSS score: 10.0), the vulnerability is a remote code execution bug that could permit a threat actor to run arbitrary shell commands. It was patched by Apache in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6,
This Metasploit module exploits a deserialization vulnerability in the OpenWire transport unmarshaller in Apache ActiveMQ. Affected versions include 5.18.0 through to 5.18.2, 5.17.0 through to 5.17.5, 5.16.0 through to 5.16.6, and all versions before 5.15.16.
Multiple ransomware groups have begun to actively exploit recently disclosed flaws in Atlassian Confluence and Apache ActiveMQ. Cybersecurity firm Rapid7 said it observed the exploitation of CVE-2023-22518 and CVE-2023-22515 in multiple customer environments, some of which have been leveraged for the deployment of Cerber (aka C3RB3R) ransomware. Both vulnerabilities are critical, allowing threat
A remote code execution vulnerability in Apache ActiveMQ is being used by the HelloKItty ransomware group.
Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.