exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OX App Suite 7.10.6 Cross Site Scripting / Deserialization Issue

OX App Suite 7.10.6 Cross Site Scripting / Deserialization Issue
Posted Apr 11, 2024
Authored by Martin Heiland

OX App Suite version 7.10.6 suffers from cross site scripting and deserialization vulnerabilities.

tags | advisory, vulnerability, xss
advisories | CVE-2023-46604, CVE-2024-23189, CVE-2024-23190, CVE-2024-23191, CVE-2024-23192
SHA-256 | d67b15e5e463386e7b28cf5d7d03eebfcf3f668423493ad7f356fc890f038561

OX App Suite 7.10.6 Cross Site Scripting / Deserialization Issue

Change Mirror Download
Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at https://documentation.open-xchange.com/appsuite/security/advisories/html/2024/oxas-adv-2024-0001.html.

Yours sincerely,
Martin Heiland, Open-Xchange GmbH



Internal reference: OXUIB-2660
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40, OX App Suite frontend 8.20
First fixed revision: OX App Suite frontend 7.10.6-rev41, OX App Suite frontend 8.21
Discovery date: 2023-12-13
Solution date: 2024-02-05
Disclosure date: 2024-02-08
CVE: CVE-2024-23192
CVSS: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Details:
XSS for RSS content using data-attributes. RSS feeds that contain malicious data- attributes could be abused to inject script code to a users browser session when reading compromised RSS feeds or successfully luring users to compromised accounts.

Risk:
Attackers could perform malicious API requests or extract information from the users account. No publicly available exploits are known.

Solution:
Please deploy the provided updates and patch releases. Potentially malicious attributes now get removed from external RSS content.



---



Internal reference: OXUIB-2663
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40
First fixed revision: OX App Suite frontend 7.10.6-rev41
Discovery date: 2023-12-13
Solution date: 2024-02-02
Disclosure date: 2024-02-08
CVE: CVE-2024-23191
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Details:
XSS using data- attributes at upsell ads. Upsell advertisement information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts.

Risk:
Attackers could perform malicious API requests or extract information from the users account. No publicly available exploits are known.

Solution:
Please deploy the provided updates and patch releases. Sanitization of user-defined upsell content has been improved.



---



Internal reference: OXUIB-2688
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40
First fixed revision: OX App Suite frontend 7.10.6-rev41
Discovery date: 2024-01-09
Solution date: 2024-02-02
Disclosure date: 2024-02-08
CVE: CVE-2024-23190
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Details:
XSS using "data" attributes at upsell shop. Upsell shop information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts.

Risk:
Attackers could perform malicious API requests or extract information from the users account. No publicly available exploits are known.

Solution:
Please deploy the provided updates and patch releases. Sanitization of user-defined upsell content has been improved.



---



Internal reference: OXUIB-2689
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev40, OX App Suite frontend 8.21
First fixed revision: OX App Suite frontend 7.10.6-rev41, OX App Suite frontend 8.22
Discovery date: 2024-01-09
Solution date: 2024-02-01
Disclosure date: 2024-02-08
CVE: CVE-2024-23189
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

Details:
XSS using tasks "original mail" references. Embedded content references at tasks could be used to temporarily execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to the users account, access to another account within the same context or an successful social engineering attack to make users import external content.

Risk:
Attackers could perform malicious API requests or extract information from the users account. No publicly available exploits are known.

Solution:
Please deploy the provided updates and patch releases. Sanitization of user-generated content has been improved.



---



Internal reference: DOCS-5222
Type: CWE-502 (Deserialization of Untrusted Data)
Component: office
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite office 7.10.6-rev11
First fixed revision: OX App Suite office 7.10.6-rev12
Discovery date: 2024-01-24
Solution date: 2024-02-06
Disclosure date: 2024-02-08
CVE: CVE-2023-46604
CVSS: 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H)

Details:
CVE-2023-46604 regarding office/dcs. CVE-2023-46604 has been identified at the Apache ActiveMQ (AMQ) project which affects a version of that component shipped by OX App Suite components.

Risk:
The vulnerability in AMQ can potentially be exploited in OX App Suite deployments, depending on network topology and configuration. No publicly available exploits are known.

Solution:
Please deploy the provided updates and patch releases. We provide an updated version of the affected component that is not vulnerable.
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    31 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close