Dear subscribers, we're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at HackerOne. Yours sincerely, Martin Heiland, Open-Xchange GmbH Product: OX App Suite / OX Documents Vendor: OX Software GmbH Internal reference: MWB-70 (Bug ID) Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.3 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12 Vendor notification: 2020-02-07 Solution date: 2020-05-13 Public disclosure: 2020-08-20 Researcher Credits: raiz_ CVE reference: CVE-2020-12646 CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: Our script filters did not consider the ancient media-type "text/x-javascript" as potentially malicious, however Google Chrome executes content of this type as script code. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering. Steps to reproduce: 1. Upload a code snippet to Drive and modify its media-type 2. Share the file publicly and make a user open this link 3. Next, make the user visit a direct API reference to the file and add "delivery=view" as API parameter Solution: We improved our filter to consider this media-type. --- Internal reference: MWB-107 (Bug ID) Vulnerability type: Improper input validation (CWE-20) Vulnerable version: 7.10.1 to 7.10.3 Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12 Vendor notification: 2020-02-24 Solution date: 2020-05-13 Public disclosure: 2020-08-20 Researcher Credits: Osama Hamad Shehab CVE reference: CVE-2020-12645 CVSS: 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: When using OX App Suite for authentication directly, a login "rate-limit" is applied. This could be circumvented by exploiting logic issues when handling the clients user-agent string. Risk: Brute-force attempts could be made using large quantities of arbitrary passwords to discover account credentials. While this attack would be quite noisy it's possible that it may not get noticed on unmonitored systems. The attacker would still hit the generic API request limit at some point. Steps to reproduce: 1. Use the /login API and send login attempts until the rate-limit hits 2. Modify the user-agent string 3. Return login attempts Solution: We fixed the logic dealing with buckets of login processes to discover such attempts and correctly apply rate limiting. --- Internal reference: MWB-108 (Bug ID) Vulnerability type: Access Control Bypass (CWE-639) Vulnerable version: 7.10.3 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12 Vendor notification: 2020-02-24 Solution date: 2020-05-13 Public disclosure: 2020-08-20 Researcher Credits: kattsson CVE reference: CVE-2020-12643 CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: Incorrect permission checks were performed when requesting other users "snippets". This can be used to discover E-Mail addresses of external accounts. Risk: Potentially sensitive information about other users can be discovered and used for further attacks. Access is limited to users within the same context. Steps to reproduce: 1. Use the /api/subscriptions API and request arbitrary subscription IDs for other user IDs 2. If a combination of user ID and subscription ID matches, metadata about a subscription would be returned Solution: We improved permissions checks in this area to limit exposure of information. --- Internal reference: MWB-120 (Bug ID) Vulnerability type: Improper input validation (CWE-20) Vulnerable version: 7.10.3 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12 Vendor notification: 2020-02-27 Solution date: 2020-05-13 Public disclosure: 2020-08-20 Researcher Credits: kattsson CVE reference: CVE-2020-12645 CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) Vulnerability Details: Vacation notices could be used to send E-Mail with arbitrary sender information. Risk: Malicious users could set up vacation notices that send E-Mail responses with a forged sender address. Depending on the egress MTA configuration this can be used for impersonification. Steps to reproduce: 1. Create vacation notice and modify the "From" attribute by changing the API request 2. Make someone send E-Mail to this account or forge a "reply-to" header 3. E-Mail will be sent using illegitimate sender information Solution: We applied the same checks for vacation notices as we're using for regular user mail operations. --- Internal reference: MWB-190 (Bug ID) Vulnerability type: Cross-site scripting (CWE-80) Vulnerable version: 7.10.3 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12 Vendor notification: 2020-03-24 Solution date: 2020-05-13 Public disclosure: 2020-08-20 Researcher Credits: Alexey Petrenko CVE reference: CVE-2020-12646 CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: Our script filters did not consider the media-type "text/rdf" as potentially malicious, however Mozilla Firefox executes content of this type as script code. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering. Steps to reproduce: 1. Upload a code snippet to Drive and modify its media-type 2. Share the file publicly and make a user open this link 3. Next, make the user visit a direct API reference to the file and add "delivery=view" as API parameter Solution: We improved our filter to consider this media-type. --- Internal reference: MWB-221 (Bug ID) Vulnerability type: Improper input validation (CWE-20) Vulnerable version: 7.10.3 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12 Vendor notification: 2019-04-06 Solution date: 2020-05-13 Public disclosure: 2020-08-20 CVE reference: CVE-2020-12645 CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Vulnerability Details: The /apps/load endpoint is used to pre-load various resources for optimized transfer. It's parameters can be abused to process content multiple times. Risk: Depending on the environments memory configuration and the amount of requested content, memory exhaustion can be triggered, leading to temporary unavailability of one or more nodes. Steps to reproduce: 1. Use the /apps/load API endpoint and supply up to 254 content references 2. Repeat and/or run this request in parallel Solution: We removed duplicate content from the request and make sure none is processed twice. Since only limited options for content exist we expect this to mitigate the attack vector. --- Internal reference: MWB-226 (Bug ID) Vulnerability type: Server-side request forgery (CWE-918) Vulnerable version: 7.10.3 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev70, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev12 Vendor notification: 2019-04-07 Solution date: 2020-05-13 Public disclosure: 2020-08-20 CVE reference: CVE-2020-12644 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Vulnerability Details: The mail account API can be used to inject references to internal network topology when updating existing accounts and subsequent requests would trigger network connections. Risk: Based on the response and timing of those connections and attacker can gain insight to internal network topology and configuration. This bypasses the existing blacklist. Steps to reproduce: 1. Add a new external mail account using a legitimate IMAP server 2. Modify this accounts configuration and add a reference to an internal host 3. Use the /folder/list API to trigger a account refresh Solution: We now reject adding blacklisted network endpoints also when updating the account configuration. --- Internal reference: DOCS-1844 (Bug ID) Vulnerability type: Cross-site scripting (CWE-80) Vulnerable version: 7.10.3 and earlier Vulnerable component: office-web, frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev63, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev10 Vendor notification: 2019-03-06 Solution date: 2020-05-13 Public disclosure: 2020-08-20 Researcher Credits: chbi CVE reference: CVE-2020-8542 CVSS: 2.2 (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: When pasting text from a native source to a OX Documents file, script code embedded within the paste content would be executed. This is related to a recent library update. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering. Steps to reproduce: 1. Create a legitimate looking text documents and hide JS code within it 2. Make a user copy text from a native source (e.g. text file) and paste it to OX Documents Solution: We updated DOMpurify to a version which solves this vulnerability. --- Internal reference: DOCS-1886, OXUIB-158 (Bug ID) Vulnerability type: Cross-site scripting (CWE-80) Vulnerable version: 7.10.3 and earlier Vulnerable component: office-web, frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.8.4-rev63, 7.10.1-rev31, 7.10.2-rev26, 7.10.3-rev10 Vendor notification: 2019-03-18 Solution date: 2020-05-13 Public disclosure: 2020-08-20 Researcher Credits: chbi CVE reference: CVE-2020-12646 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: Script code embedded to PDF files could be executed when using documents preview. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this an additional step is necessary which could be achieved through social engineering. To trigger the vulnerable code a specific content-security-policy (worker-src blob:) is required. Steps to reproduce: 1. Create a malicious PDF file containing script code 2. Send and make a user open this file using preview Solution: We updated PDF.js to a version which solves this vulnerability.