OXAS-ADV-2023-0005

Vulnerability from csaf_ox - Published: 2023-09-19 00:00 - Updated: 2024-01-22 00:00
Summary
OX App Suite Security Advisory OXAS-ADV-2023-0005
Severity
High
CVE-2023-29048

A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user.

8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Vendor Fix Please deploy the provided updates and patch releases. The template engine has been reconfigured to deny execution of harmful commands on a system level.
CVE-2023-29050

The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy.

7.6 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Vendor Fix Please deploy the provided updates and patch releases. Encoding has been added for user-provided fragments that are used when constructing the LDAP query.
CVE-2023-29049

The "upsell" widget at the portal page could be abused to inject arbitrary script code.

5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Vendor Fix Please deploy the provided updates and patch releases. User input for this widget is now sanitized to avoid malicious content the be processed.
References
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "text": "HIGH"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "lang": "en-US",
    "publisher": {
      "category": "vendor",
      "name": "Open-Xchange GmbH",
      "namespace": "https://open-xchange.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Release Notes",
        "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6248_7.10.6_2023-09-19.pdf"
      },
      {
        "category": "self",
        "summary": "Canonical CSAF document",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0005.json"
      },
      {
        "category": "self",
        "summary": "Markdown representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/md/2023/oxas-adv-2023-0005.md"
      },
      {
        "category": "self",
        "summary": "HTML representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/html/2023/oxas-adv-2023-0005.html"
      },
      {
        "category": "self",
        "summary": "Plain-text representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/txt/2023/oxas-adv-2023-0005.txt"
      }
    ],
    "title": "OX App Suite Security Advisory OXAS-ADV-2023-0005",
    "tracking": {
      "current_release_date": "2024-01-22T00:00:00+00:00",
      "generator": {
        "date": "2024-01-22T15:43:48+00:00",
        "engine": {
          "name": "OX CSAF",
          "version": "1.0.0"
        }
      },
      "id": "OXAS-ADV-2023-0005",
      "initial_release_date": "2023-09-19T00:00:00+02:00",
      "revision_history": [
        {
          "date": "2023-09-19T00:00:00+02:00",
          "number": "1",
          "summary": "Initial release"
        },
        {
          "date": "2024-01-22T00:00:00+00:00",
          "number": "2",
          "summary": "Public release"
        },
        {
          "date": "2024-01-22T00:00:00+00:00",
          "number": "3",
          "summary": "Public release"
        },
        {
          "date": "2024-01-22T00:00:00+00:00",
          "number": "4",
          "summary": "Public release"
        }
      ],
      "status": "final",
      "version": "4"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.10.6-rev50",
                "product": {
                  "name": "OX App Suite backend 7.10.6-rev50",
                  "product_id": "OXAS-BACKEND_7.10.6-rev50",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev50:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev51",
                "product": {
                  "name": "OX App Suite backend 7.10.6-rev51",
                  "product_id": "OXAS-BACKEND_7.10.6-rev51",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev51:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6248"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.16",
                "product": {
                  "name": "OX App Suite backend 8.16",
                  "product_id": "OXAS-BACKEND_8.16",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.16:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.17",
                "product": {
                  "name": "OX App Suite backend 8.17",
                  "product_id": "OXAS-BACKEND_8.17",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.17:*:*:*:*:*:*:*"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OX App Suite backend"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.10.6-rev33",
                "product": {
                  "name": "OX App Suite frontend 7.10.6-rev33",
                  "product_id": "OXAS-FRONTEND_7.10.6-rev33",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev33:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev34",
                "product": {
                  "name": "OX App Suite frontend 7.10.6-rev34",
                  "product_id": "OXAS-FRONTEND_7.10.6-rev34",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev34:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6248"
                      }
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OX App Suite frontend"
          }
        ],
        "category": "vendor",
        "name": "Open-Xchange GmbH"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-29048",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "discovery_date": "2023-08-08T08:49:07+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-2261"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A component for parsing OXMF templates could be abused to execute arbitrary system commands that would be executed as the non-privileged runtime user."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.6-rev51"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.6-rev50"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-09-14T12:51:09+02:00",
          "details": "Please deploy the provided updates and patch releases. The template engine has been reconfigured to deny execution of harmful commands on a system level.",
          "product_ids": [
            "OXAS-BACKEND_7.10.6-rev50"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.6-rev50"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Users and attackers could run system commands with limited privilege to gain unauthorized access to confidential information and potentially violate integrity by modifying resources."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "OXMF templates allow remote code execution"
    },
    {
      "cve": "CVE-2023-29050",
      "cwe": {
        "id": "CWE-90",
        "name": "Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)"
      },
      "discovery_date": "2023-08-17T20:59:06+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-2274"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The optional \"LDAP contacts provider\" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.6-rev51",
          "OXAS-BACKEND_8.17"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.6-rev50",
          "OXAS-BACKEND_8.16"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-09-18T08:29:07+02:00",
          "details": "Please deploy the provided updates and patch releases. Encoding has been added for user-provided fragments that are used when constructing the LDAP query.",
          "product_ids": [
            "OXAS-BACKEND_7.10.6-rev50",
            "OXAS-BACKEND_8.16"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.6-rev50",
            "OXAS-BACKEND_8.16"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "LDAP filter injection vulnerability in Contacts Provider LDAP"
    },
    {
      "cve": "CVE-2023-29049",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2023-08-14T14:15:50+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "OXUIB-2489"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The \"upsell\" widget at the portal page could be abused to inject arbitrary script code."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-FRONTEND_7.10.6-rev34"
        ],
        "last_affected": [
          "OXAS-FRONTEND_7.10.6-rev33"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-09-18T15:22:30+02:00",
          "details": "Please deploy the provided updates and patch releases. User input for this widget is now sanitized to avoid malicious content the be processed.",
          "product_ids": [
            "OXAS-FRONTEND_7.10.6-rev33"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-FRONTEND_7.10.6-rev33"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Attackers that manage to lure users to a compromised account, or gain temporary access to a legitimate account, could inject script code to gain persistent code execution capabilities under a trusted domain."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "XSS in upsell portal widget"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.