Product: OX App Suite
Vendor: OX Software GmbH



Internal reference: MWB-1540
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 8.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.324
Vendor notification: 2022-03-30
Solution date: 2022-06-10
Public disclosure: 2022-09-01
CVE reference: CVE-2022-29852
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
The output filter mechanism for binary data can be confused by using unknown media-types. Some valid image formats were not part of our deny-list that handles potentially harmful content. Attackers can generate, upload and share malicious JS code, disguised as the BMFreehand10 or image/x-freehand image file format. This format is not detected and therefore no download gets enforced. Some browsers may attempt to render its content "inline".

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink.

Solution:
We improved content detection to include previously unknown media-types.



---



Internal reference: MWB-1572
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 8.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.0
Vendor notification: 2022-04-20
Solution date: 2022-06-10
Public disclosure: 2022-09-01
CVE reference: CVE-2022-29853
CVSS: 4.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Malicious HTML content at E-Mail can be abused to bypass existing content sanitization mechanisms. In this case an attacker adds junk code to force the "Show entire message" feature for huge HTML mails to generate malicious output. This involves a complex hierarchy of HTML elements and event handlers that confuse existing sanitization logic.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink.

Solution:
We improved detection and handling of such huge HTML blocks to make sure no malicious content is returned to the client.



---



Internal reference: MWB-1602
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 8.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.0
Vendor notification: 2022-04-20
Solution date: 2022-06-10
Public disclosure: 2022-09-01
CVE reference: CVE-2022-31468
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Content stored in attachments or OX Drive content can be requested by the client using "len" and "off" parameters. Malicious HTML content is filtered however this filter does not apply to all kind of HTML tags and allows to extract malicious code using the mentioned parameters.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink.

Solution:
We improved detection and handling of malicious HTML content that is requested via offset and length parameters.



---



Internal reference: DOCS-4428
Vulnerability type: OS Command Injection (CWE-78)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev5, 7.10.6-rev5
Vendor notification: 2022-04-19
Solution date: 2022-06-10
Public disclosure: 2022-09-01
CVE reference: CVE-2022-29851
CVSS: 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N)

Vulnerability Details:
In case an instance running documentconverter (readerengine) has non-default ghostscript (gs) utility installed, it may get invoked when converting EPS files that are disguised as PDF files. Ghostscript suffers from a range of vulnerabilities, some of which could be exploited via readerengine. While most are non-deterministic and cannot be used to inflict relevant damage, few may be used to execute code fragments, embedded in EPS files, on the target instance.

Risk:
Unauthorized code may be executed with persmissions of the "open-xchange" user on readerengine instances if additional software packages like gs are installed. We urge customers to apply best-practice system hardening, which includes removal of unused components.

Solution:
We removed a fallback to use external commands for processing EPS and other file formats.