Security
Headlines
HeadlinesLatestCVEs

Headline

OX App Suite Cross Site Scripting / Server-Side Request Forgery

OX App Suite suffers from cross site scripting and server-side request forgery vulnerabilities.

Packet Storm
#xss#vulnerability#web#apache#js#rce#ssrf

Internal reference: OXUIB-1795
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30
Discovery date: 2022-07-29
Solution date: 2022-10-21
Disclosure date: 2023-02-08
CVE: CVE-2022-37306
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Details:
XSS using “upsell” triggers. Non-alphanumeric content can be injected by the user as JS content for the “upsell” module. As a result, the code will be executed during subsequent logins and opening the “Portal” application, enabling a persistent cross-site scripting attack vector.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.

Solution:
We improved the allow-list sanitizing algorithm to deal with non-alphanumeric code.


Internal reference: OXUIB-1933
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Last affected revision: OX App Suite frontend 7.10.5-rev38, OX App Suite frontend 7.10.6-rev19
First fixed revision: OX App Suite frontend 7.10.5-rev39, OX App Suite frontend 7.10.6-rev20
Discovery date: 2022-09-26
Solution date: 2022-10-21
Disclosure date: 2023-02-08
CVE: CVE-2022-43696
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Details:
XSS using "upsell ads". HTML content can be injected by the user as JS content for the “upsell ads” module. As a result, the code will be executed during subsequent logins and opening the “Portal” application, enabling a persistent cross-site scripting attack vector.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.

Solution:
We improved the sanitization process for upsell ads.


Internal reference: MWB-1784
Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30
Discovery date: 2022-08-16
Solution date: 2022-10-25
Disclosure date: 2023-02-08
CVE: CVE-2022-43697
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Details:
“Tracking” features can be used to inject arbitrary script code. In case activity tracking adapters are enabled but not defined, users can use jslob to define own tracking settings for an account. This allows adding arbitrary values to trigger a specific URL or load a library.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known.

Solution:
We made the related jslob configuration endpoint read-only for users.


Internal reference: MWB-1823
Vulnerability type: CWE-918 (Server-Side Request Forgery (SSRF))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30
Discovery date: 2022-09-14
Solution date: 2022-10-24
Disclosure date: 2023-02-08
CVE: CVE-2022-43698
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Details:
SSRF using POP3 account updates. When changing a valid external POP3 mail account as a user, the operation to update the accounts settings did not consider deny-list values.

Risk:
Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine “internal” addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. No publicly available exploits are known.

Solution:
We now check compliance with existing deny-list content when updating POP3 mail accounts.


Internal reference: MWB-1862
Vulnerability type: CWE-918 (Server-Side Request Forgery (SSRF))
Component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30
Discovery date: 2022-10-06
Solution date: 2022-11-07
Disclosure date: 2023-02-08
CVE: CVE-2022-43699
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Details:
Mail account discovery can be abused for SSRF. The external E-Mail autodiscovery feature performs connections checks based on the E-Mail addresses host-part. Those do not take existing deny-lists into respect, allowing attackers with access to DNS records of a domain to redirect requests to illegal addresses.

Risk:
Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine “internal” addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. No publicly available exploits are known.

Solution:
We check for compliance with existing deny-list content when performing mail account autodiscovery.


Internal reference: MWB-1882, DOCS-4580
Vulnerability type: CWE-94 (Improper Control of Generation of Code (‘Code Injection’))
Component: office
Report confidence: Confirmed
Solution status: Fixed by Vendor
Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29, OX App Suite office 7.10.5-rev10, OX App Suite office 7.10.6-rev5
First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30, OX App Suite office 7.10.5-rev11, OX App Suite office 7.10.6-rev6
Discovery date: 2022-10-19
Solution date: 2022-10-21
Disclosure date: 2023-02-08
CVE: CVE-2022-42889
CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Details:
Apache Commons Text Update. A critical vulnerability at the Apache Commons Text library has been identified, which is used by OX App Suite and OX Documents. However, our products do not directly use the vulnerable StringSubstitutor class. Based on current knowledge that means our products are not vulnerable.

Risk:
Remote Code Execution, see CVE-2022-42889. No publicly available exploits are known.

Solution:
We provided a update for this library to resolve the risk as a precaution, in case custom implementations use the vulnerable class.

Related news

Red Hat Security Advisory 2024-0778-03

Red Hat Security Advisory 2024-0778-03 - An update for Jenkins and Jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, improper authorization, information leakage, insecure permissions, and open redirection vulnerabilities.

Red Hat Security Advisory 2023-7288-01

Red Hat Security Advisory 2023-7288-01 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. Issues addressed include bypass, code execution, cross site scripting, and denial of service vulnerabilities.

CVE-2023-2541: Security Advisories | KNIME

The Web Frontend of KNIME Business Hub before 1.4.0 allows an unauthenticated remote attacker to access internals about the application such as versions, host names, or IP addresses. No personal information or application data was exposed.

RHSA-2023:3296: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.2.4 security fixes and container updates

Multicluster Engine for Kubernetes 2.2.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32313: A flaw was found in the vm2. After making a vm, the inspect method is read-write for console.log, which allows an attacker to edit options for console.log. This issue impacts the integrity by changing the log subsystem. * CVE-2023-32314: A flaw was found in the vm2 sandbox. When a host ...

Red Hat Security Advisory 2023-3195-01

Red Hat Security Advisory 2023-3195-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, cross site scripting, information leakage, and insecure permissions vulnerabilities.

Red Hat Security Advisory 2023-3198-01

Red Hat Security Advisory 2023-3198-01 - Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, deserialization, information leakage, and insecure permissions vulnerabilities.

CVE-2023-2535: Security Advisories | KNIME

Sensitive information exposure in the Web Frontend of KNIME Business Hub until 1.X allows an unauthenticated attacker to extract information about the system. By making a request to a non-existent URL the system will sensitive information to the caller such as internal IP addresses, hostnames, Istio metadata, internal file paths and more. The problem is fixed in KNIME Business Hub 1.xxx. There is no workaround for previous versions.

Red Hat Security Advisory 2023-1866-01

Red Hat Security Advisory 2023-1866-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.58. Issues addressed include a cross site scripting vulnerability.

CVE-2022-37306: OX App Suite Cross Site Scripting

OX App Suite before 7.10.6-rev30 allows XSS via an upsell trigger.

RHSA-2023:1655: Red Hat Security Advisory: OpenShift Container Platform 4.10.56 security update

Red Hat OpenShift Container Platform release 4.10.56 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3172: A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This issue leads to the client performing unexpected acti...

Red Hat Security Advisory 2023-1525-01

Red Hat Security Advisory 2023-1525-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.59.

RHSA-2023:1525: Red Hat Security Advisory: OpenShift Container Platform 4.9.59 security update

Red Hat OpenShift Container Platform release 4.9.59 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-20329: A flaw was found in Mongo. Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshaling Go objects into BSON. This flaw allows a malicious user to use a Go object with a specific string to inject additional fields into marshaled documen...

RHSA-2023:1006: Red Hat Security Advisory: Red Hat build of Quarkus 2.7.7 release and security update

An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1471: A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE). * CVE-2022-3171: A parsing issue with binary data in protobuf-java core an...

RHSA-2023:0261: Red Hat Security Advisory: Satellite 6.12.1 Async Security Update

Updated Satellite 6.12 packages that fixes critical security bugs and several regular bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32224: activerecord: Possible RCE escalation bug with Serialized Columns in Active Record * CVE-2022-42889: apache-commons-text: variable interpolation RCE

Gentoo Linux Security Advisory 202301-05

Gentoo Linux Security Advisory 202301-5 - A vulnerability has been discovered in Apache Commons Text which could result in arbitrary code execution. Versions less than 1.10.0 are affected.

Red Hat Security Advisory 2022-8902-01

Red Hat Security Advisory 2022-8902-01 - This release of Camel for Spring Boot 3.18.3 serves as a replacement for Camel for Spring Boot 3.14.2 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include a denial of service vulnerability.

RHSA-2022:8902: Red Hat Security Advisory: Red Hat Camel for Spring Boot 3.18.3 release and security update

A minor version update (from 3.14.5 to 3.18.3) is now available for Camel for Spring Boot. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25897: sdk-server: Denial of Service * CVE-2022-31684: reactor-netty-http: Log request headers in some cases of invalid HTTP requests * CVE-2022-42889: apache-commons-text: variable interpolation RCE

CVE-2022-44749: Security Advisories | KNIME

A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Analytics Platform 3.2.0 and above can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is wrong because an error is being reported but only after the files have already been written. This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the user. In all cases the attacker has to know the location of files on the user's system, though.

Exploit Attempts Underway for Apache Commons Text4Shell Vulnerability

The good news: The Apache Commons Text library bug is far less likely to lead to exploitation than last year's Log4j library flaw.

Hackers Started Exploiting Critical "Text4Shell" Apache Commons Text Vulnerability

WordPress security company Wordfence on Thursday said it started detecting exploitation attempts targeting the newly disclosed flaw in Apache Commons Text on October 18, 2022. The vulnerability, tracked as CVE-2022-42889 aka Text4Shell, has been assigned a severity ranking of 9.8 out of a possible 10.0 on the CVSS scale and affects versions 1.5 through 1.9 of the library. It's also similar to

GHSA-599f-7c49-w659: Arbitrary code execution in Apache Commons Text

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators ...

CVE-2022-42889

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolator...

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution