Dear subscribers,

we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at HackerOne.

Yours sincerely,
  Martin Heiland, Open-Xchange GmbH



Product: OX App Suite / OX Documents
Vendor: OX Software GmbH



Internal reference: MWB-70 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-07
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: raiz_
CVE reference: CVE-2020-12646
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Our script filters did not consider the ancient media-type "text/x-javascript" as potentially malicious, however Google Chrome executes content of this type as script code.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering.

Steps to reproduce:
1. Upload a code snippet to Drive and modify its media-type
2. Share the file publicly and make a user open this link
3. Next, make the user visit a direct API reference to the file and add "delivery=view" as API parameter

Solution:
We improved our filter to consider this media-type.



---



Internal reference: MWB-107 (Bug ID)
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: 7.10.1 to 7.10.3
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-24
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: Osama Hamad Shehab
CVE reference: CVE-2020-12645
CVSS: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
When using OX App Suite for authentication directly, a login "rate-limit" is applied. This could be circumvented by exploiting logic issues when handling the clients user-agent string.

Risk:
Brute-force attempts could be made using large quantities of arbitrary passwords to discover account credentials. While this attack would be quite noisy it's possible that it may not get noticed on unmonitored systems. The attacker would still hit the generic API request limit at some point.

Steps to reproduce:
1. Use the /login API and send login attempts until the rate-limit hits
2. Modify the user-agent string
3. Return login attempts

Solution:
We fixed the logic dealing with buckets of login processes to discover such attempts and correctly apply rate limiting.



---



Internal reference: MWB-108 (Bug ID)
Vulnerability type: Access Control Bypass (CWE-639)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-24
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: kattsson
CVE reference: CVE-2020-12643
CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Vulnerability Details:
Incorrect permission checks were performed when requesting other users "snippets". This can be used to discover E-Mail addresses of external accounts.

Risk:
Potentially sensitive information about other users can be discovered and used for further attacks. Access is limited to users within the same context.

Steps to reproduce:
1. Use the /api/subscriptions API and request arbitrary subscription IDs for other user IDs
2. If a combination of user ID and subscription ID matches, metadata about a subscription would be returned

Solution:
We improved permissions checks in this area to limit exposure of information.



---



Internal reference: MWB-120 (Bug ID)
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-02-27
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: kattsson
CVE reference: CVE-2020-12645
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

Vulnerability Details:
Vacation notices could be used to send E-Mail with arbitrary sender information.

Risk:
Malicious users could set up vacation notices that send E-Mail responses with a forged sender address. Depending on the egress MTA configuration this can be used for impersonification.

Steps to reproduce:
1. Create vacation notice and modify the "From" attribute by changing the API request
2. Make someone send E-Mail to this account or forge a "reply-to" header
3. E-Mail will be sent using illegitimate sender information

Solution:
We applied the same checks for vacation notices as we're using for regular user mail operations.



---



Internal reference: MWB-190 (Bug ID)
Vulnerability type: Cross-site scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2020-03-24
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: Alexey Petrenko
CVE reference: CVE-2020-12646
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Our script filters did not consider the media-type "text/rdf" as potentially malicious, however Mozilla Firefox executes content of this type as script code.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering.

Steps to reproduce:
1. Upload a code snippet to Drive and modify its media-type
2. Share the file publicly and make a user open this link
3. Next, make the user visit a direct API reference to the file and add "delivery=view" as API parameter

Solution:
We improved our filter to consider this media-type.



---



Internal reference: MWB-221 (Bug ID)
Vulnerability type: Improper input validation (CWE-20)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2019-04-06
Solution date: 2020-05-13
Public disclosure: 2020-08-20
CVE reference: CVE-2020-12645
CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Vulnerability Details:
The /apps/load endpoint is used to pre-load various resources for optimized transfer. It's parameters can be abused to process content multiple times.

Risk:
Depending on the environments memory configuration and the amount of requested content, memory exhaustion can be triggered, leading to temporary unavailability of one or more nodes.

Steps to reproduce:
1. Use the /apps/load API endpoint and supply up to 254 content references
2. Repeat and/or run this request in parallel

Solution:
We removed duplicate content from the request and make sure none is processed twice. Since only limited options for content exist we expect this to mitigate the attack vector.



---



Internal reference: MWB-226 (Bug ID)
Vulnerability type: Server-side request forgery (CWE-918)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12
Vendor notification: 2019-04-07
Solution date: 2020-05-13
Public disclosure: 2020-08-20
CVE reference: CVE-2020-12644
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Vulnerability Details:
The mail account API can be used to inject references to internal network topology when updating existing accounts and subsequent requests would trigger network connections.

Risk:
Based on the response and timing of those connections and attacker can gain insight to internal network topology and configuration. This bypasses the existing blacklist.

Steps to reproduce:
1. Add a new external mail account using a legitimate IMAP server
2. Modify this accounts configuration and add a reference to an internal host
3. Use the /folder/list API to trigger a account refresh

Solution:
We now reject adding blacklisted network endpoints also when updating the account configuration.



---



Internal reference: DOCS-1844 (Bug ID)
Vulnerability type: Cross-site scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: office-web, frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev63, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev10
Vendor notification: 2019-03-06
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: chbi
CVE reference: CVE-2020-8542
CVSS: 2.2 (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
When pasting text from a native source to a OX Documents file, script code embedded within the paste content would be executed. This is related to a recent library update.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering.

Steps to reproduce:
1. Create a legitimate looking text documents and hide JS code within it
2. Make a user copy text from a native source (e.g. text file) and paste it to OX Documents

Solution:
We updated DOMpurify to a version which solves this vulnerability.



---



Internal reference: DOCS-1886, OXUIB-158 (Bug ID)
Vulnerability type: Cross-site scripting (CWE-80)
Vulnerable version: 7.10.3 and earlier
Vulnerable component: office-web, frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.4-rev63, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev10
Vendor notification: 2019-03-18
Solution date: 2020-05-13
Public disclosure: 2020-08-20
Researcher Credits: chbi
CVE reference: CVE-2020-12646
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Script code embedded to PDF files could be executed when using documents preview.

Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering. To trigger the vulnerable code a specific content-security-policy (worker-src blob:) is required.

Steps to reproduce:
1. Create a malicious PDF file containing script code
2. Send and make a user open this file using preview

Solution:
We updated PDF.js to a version which solves this vulnerability.