Headline
OX App Suite Cross Site Scripting / Denial Of Service
OX App Suite frontend version 7.10.6-rev42 suffers from cross site scripting vulnerabilities. OX App Suite backend versions 7.10.6-rev61 and 8.22 suffer from a denial of service vulnerability.
Dear subscribers,
We’re sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack.
This advisory has also been published at https://documentation.open-xchange.com/appsuite/security/advisories/html/2024/oxas-adv-2024-0003.html.
Yours sincerely,
Martin Heiland, Open-Xchange GmbH
Internal reference: MWB-2525
Type: CWE-835 (Loop with Unreachable Exit Condition (‘Infinite Loop’))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev61, OX App Suite backend 8.22
First fixed revision: OX App Suite backend 7.10.6-rev62, OX App Suite backend 8.23
Discovery date: 2024-03-01
Solution date: 2024-04-11
CVE: CVE-2024-25710
CVSS: 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Details:
Apache Commons Compress library is prone to a denial of service (DoS) vulnerability… Loop with Unreachable Exit Condition (‘Infinite Loop’) vulnerability in Apache Commons Compress. This issue affects a Apache Commons Compress library shipped with OX App Suite.
Risk:
The vulnerability can potentially be exploited through OX App Suite and affect availability of the service. No publicly available exploits are known.
Solution:
Please deploy the provided updates and patch releases. We have updated the vulnerable library as a precaution to avoid potential exploitation.
Internal reference: OXUIB-2718
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev42
First fixed revision: OX App Suite frontend 7.10.6-rev43
Discovery date: 2024-01-30
Solution date: 2024-04-04
CVE: CVE-2024-25582
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Details:
XSS using arbitrary relative path to UI module. Module savepoints could be abused to inject references to malicious code delivered through the same domain.
Risk:
Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. No publicly available exploits are known.
Solution:
Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules.
Internal reference: OXUIB-2699
Type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev42
First fixed revision: OX App Suite frontend 7.10.6-rev43
Discovery date: 2024-01-15
Solution date: 2024-03-28
CVE: CVE-2021-41184
CVSS: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Details:
Outdated jquery-ui shipped with 7.10.6. JQuery third-party components with known vulnerabilities have been shipped.
Risk:
This update serves as a preventive measure since no practical exploitation in the context of OX App Suite is feasible. No publicly available exploits are known.
Solution:
Please deploy the provided updates and patch releases. The relevant components have been updated to mitigate potential exploitation.
Related news
Red Hat Security Advisory 2024-4057-03 - Release of OpenShift Serverless Logic 1.33.0. Issues addressed include cross site scripting and denial of service vulnerabilities.
Red Hat Security Advisory 2024-3989-03 - Migration Toolkit for Applications 6.2.3 release. Issues addressed include denial of service, memory leak, and password leak vulnerabilities.
Red Hat Security Advisory 2024-3527-03 - Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal. Issues addressed include buffer overflow, denial of service, integer overflow, memory leak, and resource exhaustion vulnerabilities.
Red Hat Security Advisory 2024-2833-03 - An update to the images for Red Hat Integration - Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Issues addressed include denial of service and memory leak vulnerabilities.
Red Hat Security Advisory 2024-1948-03 - An update for Red Hat Build of Apache Camel 3.18 for Quarkus 2.13 is now available. The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Red Hat Product Security has rated this update as having a security impact of Important. Issues addressed include denial of service and server-side request forgery vulnerabilities.
Red Hat Security Advisory 2024-1706-03 - An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available. Red Hat Product Security has rated this update as having a security impact of Important. The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Issues addressed include denial of service and memory leak vulnerabilities.
Red Hat Security Advisory 2024-1662-03 - An update is now available for Red Hat build of Quarkus. Issues addressed include denial of service, information leakage, and memory leak vulnerabilities.
Red Hat Security Advisory 2024-1509-03 - An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include a denial of service vulnerability.
Ubuntu Security Notice 6419-1 - Hong Phat Ly discovered that jQuery UI did not properly manage parameters from untrusted sources, which could lead to arbitrary web script or HTML code injection. A remote attacker could possibly use this issue to perform a cross-site scripting attack. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. Esben Sparre Andreasen discovered that jQuery UI did not properly handle values from untrusted sources in the Datepicker widget. A remote attacker could possibly use this issue to perform a cross-site scripting attack and execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. The device allows unauthenticated access to Telnet and SNMP credentials.
Aten PE8108 2.4.232 is vulnerable to Incorrect Access Control. Restricted users have access to other users outlets.
Redmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permission checks. Depending on the configuration, this may require login as a registered user.
An authenticated attacker could utilize the identical agent and cluster node linking keys to potentially allow for a scenario where unauthorized disclosure of agent logs and data is present.
Dell WMS 3.6.1 and below contains a Path Traversal vulnerability in Device API. A remote attacker could potentially exploit this vulnerability, to gain unauthorized read access to the files stored on the server filesystem, with the privileges of the running web application.
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a low level user to obtain sensitive information from the details of the 'Cloud Storage' page for which they should not have access. IBM X-Force ID: 202682.
An authenticated attacker could create an audit file that bypasses PowerShell cmdlet checks and executes commands with administrator privileges.
Red Hat Security Advisory 2022-4711-01 - The ovirt-engine package provides the Red Hat Virtualization Manager, a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource management, live migrations, and virtual infrastructure provisioning. Issues addressed include cross site scripting and denial of service vulnerabilities.
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.