Internal reference: OXUIB-1795 Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29 First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30 Discovery date: 2022-07-29 Solution date: 2022-10-21 Disclosure date: 2023-02-08 CVE: CVE-2022-37306 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Details: XSS using "upsell" triggers. Non-alphanumeric content can be injected by the user as JS content for the "upsell" module. As a result, the code will be executed during subsequent logins and opening the "Portal" application, enabling a persistent cross-site scripting attack vector. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known. Solution: We improved the allow-list sanitizing algorithm to deal with non-alphanumeric code. --- Internal reference: OXUIB-1933 Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Last affected revision: OX App Suite frontend 7.10.5-rev38, OX App Suite frontend 7.10.6-rev19 First fixed revision: OX App Suite frontend 7.10.5-rev39, OX App Suite frontend 7.10.6-rev20 Discovery date: 2022-09-26 Solution date: 2022-10-21 Disclosure date: 2023-02-08 CVE: CVE-2022-43696 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Details: XSS using "upsell ads". HTML content can be injected by the user as JS content for the "upsell ads" module. As a result, the code will be executed during subsequent logins and opening the "Portal" application, enabling a persistent cross-site scripting attack vector. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known. Solution: We improved the sanitization process for upsell ads. --- Internal reference: MWB-1784 Vulnerability type: CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)) Component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29 First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30 Discovery date: 2022-08-16 Solution date: 2022-10-25 Disclosure date: 2023-02-08 CVE: CVE-2022-43697 CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) Details: "Tracking" features can be used to inject arbitrary script code. In case activity tracking adapters are enabled but not defined, users can use jslob to define own tracking settings for an account. This allows adding arbitrary values to trigger a specific URL or load a library. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account. No publicly available exploits are known. Solution: We made the related jslob configuration endpoint read-only for users. --- Internal reference: MWB-1823 Vulnerability type: CWE-918 (Server-Side Request Forgery (SSRF)) Component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29 First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30 Discovery date: 2022-09-14 Solution date: 2022-10-24 Disclosure date: 2023-02-08 CVE: CVE-2022-43698 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Details: SSRF using POP3 account updates. When changing a valid external POP3 mail account as a user, the operation to update the accounts settings did not consider deny-list values. Risk: Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. No publicly available exploits are known. Solution: We now check compliance with existing deny-list content when updating POP3 mail accounts. --- Internal reference: MWB-1862 Vulnerability type: CWE-918 (Server-Side Request Forgery (SSRF)) Component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29 First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30 Discovery date: 2022-10-06 Solution date: 2022-11-07 Disclosure date: 2023-02-08 CVE: CVE-2022-43699 CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) Details: Mail account discovery can be abused for SSRF. The external E-Mail autodiscovery feature performs connections checks based on the E-Mail addresses host-part. Those do not take existing deny-lists into respect, allowing attackers with access to DNS records of a domain to redirect requests to illegal addresses. Risk: Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies. No publicly available exploits are known. Solution: We check for compliance with existing deny-list content when performing mail account autodiscovery. --- Internal reference: MWB-1882, DOCS-4580 Vulnerability type: CWE-94 (Improper Control of Generation of Code ('Code Injection')) Component: office Report confidence: Confirmed Solution status: Fixed by Vendor Last affected revision: OX App Suite backend 7.10.5-rev50, OX App Suite backend 7.10.6-rev29, OX App Suite office 7.10.5-rev10, OX App Suite office 7.10.6-rev5 First fixed revision: OX App Suite backend 7.10.5-rev51, OX App Suite backend 7.10.6-rev30, OX App Suite office 7.10.5-rev11, OX App Suite office 7.10.6-rev6 Discovery date: 2022-10-19 Solution date: 2022-10-21 Disclosure date: 2023-02-08 CVE: CVE-2022-42889 CVSS: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Details: Apache Commons Text Update. A critical vulnerability at the Apache Commons Text library has been identified, which is used by OX App Suite and OX Documents. However, our products do not directly use the vulnerable StringSubstitutor class. Based on current knowledge that means our products are not vulnerable. Risk: Remote Code Execution, see CVE-2022-42889. No publicly available exploits are known. Solution: We provided a update for this library to resolve the risk as a precaution, in case custom implementations use the vulnerable class.