OXAS-ADV-2023-0006: OX App Suite Security Advisory

[Martin Heiland via Fulldisclosure <fulldisclosure () seclists org>]

Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those 
vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at https://documentation.open-xchange.com/security/advisories/.

Yours sincerely,
    Martin Heiland, Open-Xchange GmbH



Internal reference: MWB-2315
Type: CWE-284 (Improper Access Control)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev51, OX App Suite backend 8.17
First fixed revision: OX App Suite backend 7.10.6-rev52, OX App Suite backend 8.18
Discovery date: 2023-09-21
Solution date: 2023-09-24
Disclosure date: 2023-09-25
CVE: CVE-2023-29051
CVSS: 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

Details:
User-defined templates can bypass access control. User-defined OXMF templates could be used to access a limited part of 
the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this 
case.

Risk:
Unauthorized users could discover and modify application state, including objects related to other users and contexts. 
No publicly available exploits are known.

Solution:
We now make sure that the switch to disable user-generated templates by default works as intended and will remove the 
feature in future generations of the product.



---



Internal reference: OXUIB-2532
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev34
First fixed revision: OX App Suite frontend 7.10.6-rev35
Discovery date: 2023-09-07
Solution date: 2023-09-24
Disclosure date: 2023-09-25
CVE: CVE-2023-29052
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Details:
XSS in upsell portal widget (shop disclaimer). Users were able to define disclaimer texts for an upsell shop dialog 
that would contain script code that was not sanitized correctly.

Risk:
Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a 
trusted domain. No publicly available exploits are known.

Solution:
We added sanitization for this content.



---



Internal reference: OXUIB-2533
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev34
First fixed revision: OX App Suite frontend 7.10.6-rev35
Discovery date: 2023-09-07
Solution date: 2023-09-24
Disclosure date: 2023-09-25
CVE: CVE-2023-41710
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Details:
XSS in upsell portal widget (shop URL). User-defined script code could be stored for a upsell related shop URL. This 
code was not correctly sanitized when adding it to DOM.

Risk:
Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a 
trusted domain. No publicly available exploits are known.

Solution:
We added sanitization for this content.

Attachment: signature.asc
Description:

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/