Product: OX App Suite / OX Guard Vendor: OX Software GmbH Affected product: OX App Suite Internal reference: OXUIB-481 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.4 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev23, 7.10.4-rev14 Vendor notification: 2020-09-28 Solution date: 2020-11-23 Public disclosure: 2021-04-30 CVE reference: CVE-2020-28945 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: When searching for contacts in mobile mode (App Suite UI on a smartphone), specific fields of a contact object were not properly handled. This could lead to script execution in case the users search would yield contacts with malicious data. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to execute a specific action. Steps to reproduce: 1. Create a malicious contact which contains script-code as "position" or "company" value 2. Share the contact with the victim, for example within the same context or as vcard file 3. Make the victim search for this contact in mobile mode Solution: We improved how search results in mobile mode are being constructed and delivered, considering user-provided information as potentially malicious. --- Affected product: OX App Suite Internal reference: OXUIB-491 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.4 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev23, 7.10.4-rev14 Vendor notification: 2020-10-01 Solution date: 2020-11-23 Public disclosure: 2021-04-30 CVE reference: CVE-2020-28945 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: An undocumented component did not correctly handle user-generated content when displaying the information to a user. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a link provided by the attacker. Steps to reproduce: 1. Create or upload a malicious "Notes" item 2. Share that item with a user within the same context and make them open it Proof of concept: xx ![](http://onerror=Function.constructor`\x61\x6c\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29\x3b`.call``;// ) yy Solution: We disabled the ability to launch the undocumented component for the time being and therefore the risk of executing malicious content as code. --- Affected product: OX App Suite Internal reference: OXUIB-509 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.4 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev23, 7.10.4-rev14 Vendor notification: 2020-10-12 Solution date: 2020-11-23 Public disclosure: 2021-04-30 CVE reference: CVE-2020-28945 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: Contact "distribution lists" can be created in a way that they contain script code which is being executed in "scheduling" view. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to import data and/or execute a specific action. Steps to reproduce: 1. Create a malicious distribution list where a member contains malicious script code as "common name" 2. Share the distribution list with the victim, for example within the same context or as vcard file 3. Make the victim add this distribution list to "scheduling" view in calendar Proof of concept: " " Solution: We improved how the "scheduling" overview is being constructed and delivered, considering user-provided information as potentially malicious. --- Affected product: OX App Suite Internal reference: MWB-646 Vulnerability type: Server-Side Request Forgery (CWE-918) Vulnerable version: 7.10.4 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev28, 7.10.4-rev14 Vendor notification: 2020-10-12 Solution date: 2020-11-23 Public disclosure: 2021-04-30 CVE reference: CVE-2020-28943 CVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) Vulnerability Details: Snippets are used to temporarily store content for internal handling, for example when using mail signatures or E-Mail attachments while moving them to Drive ("managed files"). The identifier of those snippets could be defined via an API call and are being used as reference when retrieving the file from any of the caches. When timing this retrieval correctly and waiting for cache eviction and garbage collection, those snippets could be used to reference arbitrary network resources instead of a snippet content while moving the snipped back from the distributed to the local cache. Path traversal techniques could be used to escape the predefined valid URI for those snippets. Risk: Arbitrary network resources could be requested by a malicious user through the middleware, including those resources within a internal trust boundary where OX App Suite middleware operates. In case of web services, this could expose the response of the service to the user. Services that use authentication or do not respond to GET requests are not affected. Steps to reproduce: 1. Create a snippet (e.g. image attachment) and use a malicious identifier 2. Wait for a couple of minutes until the snippet expires from the local map 3. Request the snippet to force it being requested from the distributed map and use the malicious reference Solution: We now use URI encoding when retrieving distributed managed files to avoid the ability to request resources out of scope for the application. Independent from this, we suggest operators to use existing Security Manager configuration to restrict network access of the middleware process to a reasonable scope. --- Affected product: OX Guard Internal reference: GUARD-228 Vulnerability type: Denial Of Service (CWE-400) Vulnerable version: 2.10.4 and earlier Vulnerable component: guard Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 2.10.3-rev8, 2.10.4-rev5 Vendor notification: 2020-11-02 Solution date: 2020-11-23 Public disclosure: 2021-04-30 CVE reference: CVE-2020-28944 CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L) Vulnerability Details: WKS is being used as an option to retrieve a users public key material for encrypted mail communication. In case an attacker would setup malicious WKS infrastrucutre, OX Guard can be tricked to keep connections open for a long period of time or process unusually large chunks of data. Risk: OX Guard nodes could be forced to exhaust system resources like network sockets, memory and connection pools. This would lead to temporary unavailability of the service. Steps to reproduce: 1. Setup a malicious WKS service, that responds very slowly and/or with huge amounts of data 2. Add one or more E-Mail recipient in OX App Suite which domain is handled by this malicious WKS service Solution: We added timeouts for both size and total connection duration to avoid being stuck processing responses from malicious sources.