Headline
OX App Suite 7.10.6 Access Control / Cross Site Scripting
OX App Suite version 7.10.6-rev51 suffers from an access control vulnerability. Version 7.10.6-rev34 suffers from multiple cross site scripting vulnerabilities.
Internal reference: MWB-2315
Type: CWE-284 (Improper Access Control)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev51, OX App Suite backend 8.17
First fixed revision: OX App Suite backend 7.10.6-rev52, OX App Suite backend 8.18
Discovery date: 2023-09-21
Solution date: 2023-09-24
Disclosure date: 2023-09-25
CVE: CVE-2023-29051
CVSS: 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
Details:
User-defined templates can bypass access control. User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case.
Risk:
Unauthorized users could discover and modify application state, including objects related to other users and contexts. No publicly available exploits are known.
Solution:
We now make sure that the switch to disable user-generated templates by default works as intended and will remove the feature in future generations of the product.
Internal reference: OXUIB-2532
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev34
First fixed revision: OX App Suite frontend 7.10.6-rev35
Discovery date: 2023-09-07
Solution date: 2023-09-24
Disclosure date: 2023-09-25
CVE: CVE-2023-29052
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Details:
XSS in upsell portal widget (shop disclaimer). Users were able to define disclaimer texts for an upsell shop dialog that would contain script code that was not sanitized correctly.
Risk:
Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. No publicly available exploits are known.
Solution:
We added sanitization for this content.
Internal reference: OXUIB-2533
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev34
First fixed revision: OX App Suite frontend 7.10.6-rev35
Discovery date: 2023-09-07
Solution date: 2023-09-24
Disclosure date: 2023-09-25
CVE: CVE-2023-41710
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Details:
XSS in upsell portal widget (shop URL). User-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM.
Risk:
Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. No publicly available exploits are known.
Solution:
We added sanitization for this content.