what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OX App Suite Cross Site Scripting / Command Injection

OX App Suite Cross Site Scripting / Command Injection
Posted Sep 2, 2022
Authored by Martin Heiland

OX App Suite versions 8.2 and earlier suffer from multiple cross site scripting vulnerabilities. Versions 7.10.6 and earlier suffer from a command injection vulnerability.

tags | advisory, vulnerability, xss
advisories | CVE-2022-29851, CVE-2022-29852, CVE-2022-29853, CVE-2022-31468
SHA-256 | df934839b9bb30ae7abcc52dec7595f09a5e03c04493af0116b03ecf48aee33b

OX App Suite Cross Site Scripting / Command Injection

Change Mirror Download
Product: OX App Suite
Vendor: OX Software GmbH



Internal reference: MWB-1540
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 8.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.324
Vendor notification: 2022-03-30
Solution date: 2022-06-10
Public disclosure: 2022-09-01
CVE reference: CVE-2022-29852
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
The output filter mechanism for binary data can be confused by using unknown media-types. Some valid image formats were not part of our deny-list that handles potentially harmful content. Attackers can generate, upload and share malicious JS code, disguised as the BMFreehand10 or image/x-freehand image file format. This format is not detected and therefore no download gets enforced. Some browsers may attempt to render its content "inline".

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink.

Solution:
We improved content detection to include previously unknown media-types.



---



Internal reference: MWB-1572
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 8.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.0
Vendor notification: 2022-04-20
Solution date: 2022-06-10
Public disclosure: 2022-09-01
CVE reference: CVE-2022-29853
CVSS: 4.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:
Malicious HTML content at E-Mail can be abused to bypass existing content sanitization mechanisms. In this case an attacker adds junk code to force the "Show entire message" feature for huge HTML mails to generate malicious output. This involves a complex hierarchy of HTML elements and event handlers that confuse existing sanitization logic.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink.

Solution:
We improved detection and handling of such huge HTML blocks to make sure no malicious content is returned to the client.



---



Internal reference: MWB-1602
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 8.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev44, 7.10.6-rev16, 8.2.0
Vendor notification: 2022-04-20
Solution date: 2022-06-10
Public disclosure: 2022-09-01
CVE reference: CVE-2022-31468
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Vulnerability Details:
Content stored in attachments or OX Drive content can be requested by the client using "len" and "off" parameters. Malicious HTML content is filtered however this filter does not apply to all kind of HTML tags and allows to extract malicious code using the mentioned parameters.

Risk:
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance and the victim to follow a hyperlink.

Solution:
We improved detection and handling of malicious HTML content that is requested via offset and length parameters.



---



Internal reference: DOCS-4428
Vulnerability type: OS Command Injection (CWE-78)
Vulnerable version: 7.10.6 and earlier
Vulnerable component: documentconverter
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.5-rev5, 7.10.6-rev5
Vendor notification: 2022-04-19
Solution date: 2022-06-10
Public disclosure: 2022-09-01
CVE reference: CVE-2022-29851
CVSS: 8.2 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N)

Vulnerability Details:
In case an instance running documentconverter (readerengine) has non-default ghostscript (gs) utility installed, it may get invoked when converting EPS files that are disguised as PDF files. Ghostscript suffers from a range of vulnerabilities, some of which could be exploited via readerengine. While most are non-deterministic and cannot be used to inflict relevant damage, few may be used to execute code fragments, embedded in EPS files, on the target instance.

Risk:
Unauthorized code may be executed with persmissions of the "open-xchange" user on readerengine instances if additional software packages like gs are installed. We urge customers to apply best-practice system hardening, which includes removal of unused components.

Solution:
We removed a fallback to use external commands for processing EPS and other file formats.
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close