Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs (appsuite, dovecot, powerdns) at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite Vendor: OX Software GmbH Internal reference: 64680 (Bug ID) Vulnerability type: Content Spoofing (CWE-451) Vulnerable version: 7.10.1 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.1-rev12 Vendor notification: 2019-04-15 Solution date: 2019-05-09 Public disclosure: 2019-08-15 Researcher Credits: zee_shan CVE reference: CVE-2019-11521 CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) Vulnerability Details: Appointment titles are rendered as hyperlink but were missing a protection against "tab nabbing". Risk: When following a hyperlink to a malicious website, the original tab location (OX App Suite) could be replaced with a URL chosen by the attacker. This can be exploited to trick users to re-enter credentials to a seemingly legitimate website and as a result take over accounts. Steps to reproduce: 1. Create a appointment invitation that contains a link to a malicious website including a blank "target" attribute 2. Make the user accept the invitation and click the hyperlink at the appointments title 3. Provide a effective exploit to overwrite the users original URL and fake a login page Proof of concept: Appointment title content: Click Me! :-) Payload: Solution: We extended the usage of existing protection mechanisms (blankshield) to this case. --- Internal reference: 64682 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.0 and 7.10.1 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.0-rev31, 7.10.1-rev12 Vendor notification: 2019-04-15 Solution date: 2019-05-13 Public disclosure: 2019-08-15 Researcher Credits: zee_shan CVE reference: CVE-2019-11522 CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: When replying to a HTML E-Mail with specific payload, that payload could be executed as script code. The user would have to have HTML composing enabled to exploit this vulnerability. This vulnerability could happen as browsers incorrectly "fix" HTML content as demonstrated by @kinugawamasato for Google Search. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Steps to reproduce: 1. Create an E-Mail with malicious content and deliver it to the user 2. Make the user "reply" to the E-Mail Proof of concept: Test