OXAS-ADV-2023-0006
Vulnerability from csaf_ox
Published
2023-09-25 00:00
Modified
2024-01-22 00:00
Summary
OX App Suite Security Advisory OXAS-ADV-2023-0006



{
   document: {
      aggregate_severity: {
         text: "HIGH",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      lang: "en-US",
      publisher: {
         category: "vendor",
         name: "Open-Xchange GmbH",
         namespace: "https://open-xchange.com/",
      },
      references: [
         {
            category: "external",
            summary: "Release Notes",
            url: "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6251_7.10.6_2023-09-25.pdf",
         },
         {
            category: "self",
            summary: "Canonical CSAF document",
            url: "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0006.json",
         },
         {
            category: "self",
            summary: "Markdown representation",
            url: "https://documentation.open-xchange.com/appsuite/security/advisories/md/2023/oxas-adv-2023-0006.md",
         },
         {
            category: "self",
            summary: "HTML representation",
            url: "https://documentation.open-xchange.com/appsuite/security/advisories/html/2023/oxas-adv-2023-0006.html",
         },
         {
            category: "self",
            summary: "Plain-text representation",
            url: "https://documentation.open-xchange.com/appsuite/security/advisories/txt/2023/oxas-adv-2023-0006.txt",
         },
      ],
      title: "OX App Suite Security Advisory OXAS-ADV-2023-0006",
      tracking: {
         current_release_date: "2024-01-22T00:00:00+00:00",
         generator: {
            date: "2024-01-22T15:39:58+00:00",
            engine: {
               name: "OX CSAF",
               version: "1.0.0",
            },
         },
         id: "OXAS-ADV-2023-0006",
         initial_release_date: "2023-09-25T00:00:00+02:00",
         revision_history: [
            {
               date: "2023-09-25T00:00:00+02:00",
               number: "1",
               summary: "Initial release",
            },
            {
               date: "2024-01-22T00:00:00+00:00",
               number: "2",
               summary: "Public release",
            },
            {
               date: "2024-01-22T00:00:00+00:00",
               number: "3",
               summary: "Public release",
            },
            {
               date: "2024-01-22T00:00:00+00:00",
               number: "4",
               summary: "Public release",
            },
            {
               date: "2024-01-22T00:00:00+00:00",
               number: "5",
               summary: "Public release",
            },
            {
               date: "2024-01-22T00:00:00+00:00",
               number: "6",
               summary: "Public release",
            },
            {
               date: "2024-01-22T00:00:00+00:00",
               number: "7",
               summary: "Public release",
            },
         ],
         status: "final",
         version: "7",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "7.10.6-rev51",
                        product: {
                           name: "OX App Suite backend 7.10.6-rev51",
                           product_id: "OXAS-BACKEND_7.10.6-rev51",
                           product_identification_helper: {
                              cpe: "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev51:*:*:*:*:*:*",
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "8.17",
                        product: {
                           name: "OX App Suite backend 8.17",
                           product_id: "OXAS-BACKEND_8.17",
                           product_identification_helper: {
                              cpe: "cpe:2.3:a:open-xchange:app_suite:8.17:*:*:*:*:*:*:*",
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "7.10.6-rev52",
                        product: {
                           name: "OX App Suite backend 7.10.6-rev52",
                           product_id: "OXAS-BACKEND_7.10.6-rev52",
                           product_identification_helper: {
                              cpe: "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev52:*:*:*:*:*:*",
                              x_generic_uris: [
                                 {
                                    namespace: "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                                    uri: "urn:open-xchange:app_suite:patch-id:6251",
                                 },
                              ],
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "8.18",
                        product: {
                           name: "OX App Suite backend 8.18",
                           product_id: "OXAS-BACKEND_8.18",
                           product_identification_helper: {
                              cpe: "cpe:2.3:a:open-xchange:app_suite:8.18:*:*:*:*:*:*:*",
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "OX App Suite backend",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "7.10.6-rev34",
                        product: {
                           name: "OX App Suite frontend 7.10.6-rev34",
                           product_id: "OXAS-FRONTEND_7.10.6-rev34",
                           product_identification_helper: {
                              cpe: "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev34:*:*:*:*:*:*",
                           },
                        },
                     },
                     {
                        category: "product_version",
                        name: "7.10.6-rev35",
                        product: {
                           name: "OX App Suite frontend 7.10.6-rev35",
                           product_id: "OXAS-FRONTEND_7.10.6-rev35",
                           product_identification_helper: {
                              cpe: "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev35:*:*:*:*:*:*",
                              x_generic_uris: [
                                 {
                                    namespace: "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                                    uri: "urn:open-xchange:app_suite:patch-id:6251",
                                 },
                              ],
                           },
                        },
                     },
                  ],
                  category: "product_name",
                  name: "OX App Suite frontend",
               },
            ],
            category: "vendor",
            name: "Open-Xchange GmbH",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2023-29051",
         cwe: {
            id: "CWE-284",
            name: "Improper Access Control",
         },
         discovery_date: "2023-09-21T00:08:33+02:00",
         ids: [
            {
               system_name: "OX Bug",
               text: "MWB-2315",
            },
         ],
         notes: [
            {
               category: "description",
               text: "User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case.",
            },
         ],
         product_status: {
            first_fixed: [
               "OXAS-BACKEND_7.10.6-rev52",
               "OXAS-BACKEND_8.18",
            ],
            last_affected: [
               "OXAS-BACKEND_7.10.6-rev51",
               "OXAS-BACKEND_8.17",
            ],
         },
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-09-24T21:10:11+02:00",
               details: "Please deploy the provided updates and patch releases. We now make sure that the switch to disable user-generated templates by default works as intended and will remove the feature in future generations of the product.",
               product_ids: [
                  "OXAS-BACKEND_7.10.6-rev51",
                  "OXAS-BACKEND_8.17",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 8.1,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
               products: [
                  "OXAS-BACKEND_7.10.6-rev51",
                  "OXAS-BACKEND_8.17",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Unauthorized users could discover and modify application state, including objects related to other users and contexts.",
            },
            {
               category: "exploit_status",
               details: "No publicly available exploits are known.",
            },
         ],
         title: "User-defined templates can bypass access control",
      },
      {
         cve: "CVE-2023-29052",
         cwe: {
            id: "CWE-79",
            name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
         },
         discovery_date: "2023-09-07T15:21:55+02:00",
         ids: [
            {
               system_name: "OX Bug",
               text: "OXUIB-2532",
            },
         ],
         notes: [
            {
               category: "description",
               text: "Users were able to define disclaimer texts for an upsell shop dialog that would contain script code that was not sanitized correctly.",
            },
         ],
         product_status: {
            first_fixed: [
               "OXAS-FRONTEND_7.10.6-rev35",
            ],
            last_affected: [
               "OXAS-FRONTEND_7.10.6-rev34",
            ],
         },
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-09-24T21:44:21+02:00",
               details: "Please deploy the provided updates and patch releases. We added sanitization for this content.",
               product_ids: [
                  "OXAS-FRONTEND_7.10.6-rev34",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.4,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  version: "3.1",
               },
               products: [
                  "OXAS-FRONTEND_7.10.6-rev34",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain.",
            },
            {
               category: "exploit_status",
               details: "No publicly available exploits are known.",
            },
         ],
         title: "XSS in upsell portal widget (shop disclaimer)",
      },
      {
         cve: "CVE-2023-41710",
         cwe: {
            id: "CWE-79",
            name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
         },
         discovery_date: "2023-09-07T15:27:19+02:00",
         ids: [
            {
               system_name: "OX Bug",
               text: "OXUIB-2533",
            },
         ],
         notes: [
            {
               category: "description",
               text: "User-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM.",
            },
         ],
         product_status: {
            first_fixed: [
               "OXAS-FRONTEND_7.10.6-rev35",
            ],
            last_affected: [
               "OXAS-FRONTEND_7.10.6-rev34",
            ],
         },
         remediations: [
            {
               category: "vendor_fix",
               date: "2023-09-24T21:44:04+02:00",
               details: "Please deploy the provided updates and patch releases. We added sanitization for this content.",
               product_ids: [
                  "OXAS-FRONTEND_7.10.6-rev34",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.4,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  version: "3.1",
               },
               products: [
                  "OXAS-FRONTEND_7.10.6-rev34",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain.",
            },
            {
               category: "exploit_status",
               details: "No publicly available exploits are known.",
            },
         ],
         title: "XSS in upsell portal widget (shop URL)",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.