oxas-adv-2023-0001
Vulnerability from csaf_ox
Published
2023-02-06 00:00
Modified
2024-01-22 00:00
Summary
OX App Suite Security Advisory OXAS-ADV-2023-0001
{
"document": {
"aggregate_severity": {
"text": "HIGH"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"lang": "en-US",
"publisher": {
"category": "vendor",
"name": "Open-Xchange GmbH",
"namespace": "https://open-xchange.com/"
},
"references": [
{
"category": "external",
"summary": "Release Notes",
"url": "http://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6209_7.10.6_2023-02-06.pdf"
},
{
"category": "self",
"summary": "Canonical CSAF document",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0001.json"
},
{
"category": "self",
"summary": "Markdown representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/md/2023/oxas-adv-2023-0001.md"
},
{
"category": "self",
"summary": "HTML representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/html/2023/oxas-adv-2023-0001.html"
},
{
"category": "self",
"summary": "Plain-text representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/txt/2023/oxas-adv-2023-0001.txt"
}
],
"title": "OX App Suite Security Advisory OXAS-ADV-2023-0001",
"tracking": {
"current_release_date": "2024-01-22T00:00:00+00:00",
"generator": {
"date": "2024-01-22T13:14:13+00:00",
"engine": {
"name": "OX CSAF",
"version": "1.0.0"
}
},
"id": "OXAS-ADV-2023-0001",
"initial_release_date": "2023-02-06T00:00:00+01:00",
"revision_history": [
{
"date": "2023-02-06T00:00:00+01:00",
"number": "1",
"summary": "Initial release"
},
{
"date": "2024-01-22T00:00:00+00:00",
"number": "2",
"summary": "Public release"
},
{
"date": "2024-01-22T00:00:00+00:00",
"number": "3",
"summary": "Public release"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "7.10.6-rev36",
"product": {
"name": "OX App Suite backend 7.10.6-rev36",
"product_id": "OXAS-BACKEND_7.10.6-rev36",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev36:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.8",
"product": {
"name": "OX App Suite backend 8.8",
"product_id": "OXAS-BACKEND_8.8",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.8:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "7.10.6-rev37",
"product": {
"name": "OX App Suite backend 7.10.6-rev37",
"product_id": "OXAS-BACKEND_7.10.6-rev37",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev37:*:*:*:*:*:*",
"x_generic_uris": [
{
"namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
"uri": "urn:open-xchange:app_suite:patch-id:6209"
}
]
}
}
},
{
"category": "product_version",
"name": "8.9",
"product": {
"name": "OX App Suite backend 8.9",
"product_id": "OXAS-BACKEND_8.9",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.9:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.10",
"product": {
"name": "OX App Suite backend 8.10",
"product_id": "OXAS-BACKEND_8.10",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.10:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "7.6.3-rev66",
"product": {
"name": "OX App Suite backend 7.6.3-rev66",
"product_id": "OXAS-BACKEND_7.6.3-rev66",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev66:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "7.6.3-rev67",
"product": {
"name": "OX App Suite backend 7.6.3-rev67",
"product_id": "OXAS-BACKEND_7.6.3-rev67",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev67:*:*:*:*:*:*",
"x_generic_uris": [
{
"namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
"uri": "urn:open-xchange:app_suite:patch-id:6209"
}
]
}
}
}
],
"category": "product_name",
"name": "OX App Suite backend"
},
{
"branches": [
{
"category": "product_version",
"name": "7.10.6-rev23",
"product": {
"name": "OX App Suite frontend 7.10.6-rev23",
"product_id": "OXAS-FRONTEND_7.10.6-rev23",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev23:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "7.6.3-rev51",
"product": {
"name": "OX App Suite frontend 7.6.3-rev51",
"product_id": "OXAS-FRONTEND_7.6.3-rev51",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev51:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.8",
"product": {
"name": "OX App Suite frontend 8.8",
"product_id": "OXAS-FRONTEND_8.8",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.8:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "7.10.6-rev24",
"product": {
"name": "OX App Suite frontend 7.10.6-rev24",
"product_id": "OXAS-FRONTEND_7.10.6-rev24",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev24:*:*:*:*:*:*",
"x_generic_uris": [
{
"namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
"uri": "urn:open-xchange:app_suite:patch-id:6209"
}
]
}
}
},
{
"category": "product_version",
"name": "7.6.3-rev52",
"product": {
"name": "OX App Suite frontend 7.6.3-rev52",
"product_id": "OXAS-FRONTEND_7.6.3-rev52",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev52:*:*:*:*:*:*",
"x_generic_uris": [
{
"namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
"uri": "urn:open-xchange:app_suite:patch-id:6209"
}
]
}
}
},
{
"category": "product_version",
"name": "8.9",
"product": {
"name": "OX App Suite frontend 8.9",
"product_id": "OXAS-FRONTEND_8.9",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.9:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "pre8.0",
"product": {
"name": "OX App Suite frontend pre8.0",
"product_id": "OXAS-FRONTEND_pre8.0",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:pre8.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.0",
"product": {
"name": "OX App Suite frontend 8.0",
"product_id": "OXAS-FRONTEND_8.0",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.0:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.6",
"product": {
"name": "OX App Suite frontend 8.6",
"product_id": "OXAS-FRONTEND_8.6",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.6:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.7",
"product": {
"name": "OX App Suite frontend 8.7",
"product_id": "OXAS-FRONTEND_8.7",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.7:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "OX App Suite frontend"
}
],
"category": "vendor",
"name": "Open-Xchange GmbH"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-24599",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2023-01-02T16:30:53+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "MWB-1978"
}
],
"notes": [
{
"category": "description",
"text": "Appointments of other users could be changed without the appropriate autorization by sending conflicting object IDs within the same request."
}
],
"product_status": {
"first_fixed": [
"OXAS-BACKEND_7.10.6-rev37",
"OXAS-BACKEND_8.9"
],
"last_affected": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_8.8"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-27T16:43:23+01:00",
"details": "Please deploy the provided updates and patch releases. We improved permission checks when updating appointments to restrict access.",
"product_ids": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_8.8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_8.8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Attackers within the same context can modify fragments of appointment information from folders without read access, including other users personal calendar folders."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "Users can change arbitrary appointments by ID confusion"
},
{
"cve": "CVE-2023-24603",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-01-03T14:06:48+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "MWB-1981"
}
],
"notes": [
{
"category": "description",
"text": "HTTP client requests initiated by App Suite middleware were not stopping downloads for resources that exceed size limits."
}
],
"product_status": {
"first_fixed": [
"OXAS-BACKEND_7.10.6-rev37",
"OXAS-BACKEND_8.10"
],
"last_affected": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_8.9"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-31T09:45:34+01:00",
"details": "Please deploy the provided updates and patch releases. We improved the limitation for content length and immediately stop downloading if a threshold is hit.",
"product_ids": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_8.9"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_8.9"
]
}
],
"threats": [
{
"category": "impact",
"details": "In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of HTTP headers, the system could temporarily lock up processing those headers."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "Size limits for external content are not considered for data transfer"
},
{
"cve": "CVE-2023-24604",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2023-01-03T14:43:16+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "MWB-1983"
}
],
"notes": [
{
"category": "description",
"text": "HTTP client requests initiated by App Suite middleware were not validating the lenght of HTTP headers."
}
],
"product_status": {
"first_fixed": [
"OXAS-BACKEND_7.10.6-rev37",
"OXAS-BACKEND_8.10"
],
"last_affected": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_8.9"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-30T12:59:36+01:00",
"details": "Please deploy the provided updates and patch releases. We introduced a limitation for HTTP header length and reject processing if a threshold is hit.",
"product_ids": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_8.9"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_8.9"
]
}
],
"threats": [
{
"category": "impact",
"details": "In case an attacker-controlled resource (e.g. iCal feed) returned excessive amount of HTTP headers, the system could temporarily lock up processing those headers."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "Header length does not get limited for external content"
},
{
"cve": "CVE-2023-24598",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2023-01-09T13:12:51+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "MWB-1995"
}
],
"notes": [
{
"category": "description",
"text": "Editing distribution lists allows to add contacts from foreign accounts, where the attacker has no read access."
}
],
"product_status": {
"first_fixed": [
"OXAS-BACKEND_7.10.6-rev37",
"OXAS-BACKEND_7.6.3-rev67",
"OXAS-BACKEND_8.9"
],
"last_affected": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_7.6.3-rev66",
"OXAS-BACKEND_8.8"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-27T15:51:43+01:00",
"details": "Please deploy the provided updates and patch releases. We improved permission checks when editing distribution lists to restrict access.",
"product_ids": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_7.6.3-rev66",
"OXAS-BACKEND_8.8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_7.6.3-rev66",
"OXAS-BACKEND_8.8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Attackers within the same context can discover fragments of contact information from folders without read access, including other users personal contact folders."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "Distribution lists allow discovering private contacts of other users"
},
{
"cve": "CVE-2023-24605",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2023-01-10T09:29:23+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "MWB-1997"
}
],
"notes": [
{
"category": "description",
"text": "When using the built-in multi-factor authentication, access to a number of API endpoints was possible prior to successful authentication using the second factor."
}
],
"product_status": {
"first_fixed": [
"OXAS-BACKEND_7.10.6-rev37"
],
"last_affected": [
"OXAS-BACKEND_7.10.6-rev36"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-10T15:03:35+01:00",
"details": "Please deploy the provided updates and patch releases. We added permission checks to make sure all kind of API paths are restricted prior to being fully authenticated.",
"product_ids": [
"OXAS-BACKEND_7.10.6-rev36"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-BACKEND_7.10.6-rev36"
]
}
],
"threats": [
{
"category": "impact",
"details": "Attackers with access to victims credentials were able to perfom limited read operations on contacts and drive as well as modifying names of the multi-factor tokens."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "API access not fully restricted when requiring 2FA"
},
{
"cve": "CVE-2023-24600",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2023-01-10T15:58:54+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "MWB-1998"
}
],
"notes": [
{
"category": "description",
"text": "Folder ACL combinations like \"read own, delete all\" were incorrectly applied and allowed that users could move objects which they were not expected to read."
}
],
"product_status": {
"first_fixed": [
"OXAS-BACKEND_7.10.6-rev37",
"OXAS-BACKEND_7.6.3-rev67",
"OXAS-BACKEND_8.9"
],
"last_affected": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_7.6.3-rev66",
"OXAS-BACKEND_8.8"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-27T15:21:48+01:00",
"details": "Please deploy the provided updates and patch releases. Permission checks have been updated and include checking for read permissions when performing move operations.",
"product_ids": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_7.6.3-rev66",
"OXAS-BACKEND_8.8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"OXAS-BACKEND_7.10.6-rev36",
"OXAS-BACKEND_7.6.3-rev66",
"OXAS-BACKEND_8.8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moving objects to folders with read access effectively bypassed the \"read own\" restriction."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "\"Read own/delete all\" permissions allows moving other users contacts to own address book"
},
{
"cve": "CVE-2023-24597",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2023-01-03T12:26:53+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "OXUIB-2130"
}
],
"notes": [
{
"category": "description",
"text": "When E-Mail is flagged as Spam or if a user has enabled the feature as a default, remote content in E-Mail is not requested automatically to improve users privacy. However when printing a E-Mail, external content was loaded automatically without user consent."
}
],
"product_status": {
"first_fixed": [
"OXAS-FRONTEND_7.10.6-rev24",
"OXAS-FRONTEND_7.6.3-rev52",
"OXAS-FRONTEND_8.9"
],
"last_affected": [
"OXAS-FRONTEND_7.10.6-rev23",
"OXAS-FRONTEND_7.6.3-rev51",
"OXAS-FRONTEND_8.8"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-26T14:40:23+01:00",
"details": "Please deploy the provided updates and patch releases. We now apply the same setting for loading external content when generating the E-Mail print content.",
"product_ids": [
"OXAS-FRONTEND_7.10.6-rev23",
"OXAS-FRONTEND_7.6.3-rev51",
"OXAS-FRONTEND_8.8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-FRONTEND_7.10.6-rev23",
"OXAS-FRONTEND_7.6.3-rev51",
"OXAS-FRONTEND_8.8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Malicious remote content in E-Mail, like tracking pixels, could be used to analyze user behaviour."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "Remote resources are loaded in print view"
},
{
"cve": "CVE-2023-24601",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-11-02T16:20:38+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "OXUIB-2034"
}
],
"notes": [
{
"category": "description",
"text": "The \"registry\" sub-tree of the jslob API is used to define which application modules and dependencies shall be loaded. Users were able to inject arbitrary references, including malicious code."
}
],
"product_status": {
"first_fixed": [
"OXAS-FRONTEND_7.10.6-rev24",
"OXAS-FRONTEND_7.6.3-rev52",
"OXAS-FRONTEND_8.0"
],
"last_affected": [
"OXAS-FRONTEND_7.10.6-rev23",
"OXAS-FRONTEND_7.6.3-rev51",
"OXAS-FRONTEND_pre8.0"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2023-01-30T12:39:16+01:00",
"details": "Please deploy the provided updates and patch releases. We made the relevant jslob path read-only for users.",
"product_ids": [
"OXAS-FRONTEND_7.10.6-rev23",
"OXAS-FRONTEND_7.6.3-rev51",
"OXAS-FRONTEND_pre8.0"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-FRONTEND_7.10.6-rev23",
"OXAS-FRONTEND_7.6.3-rev51",
"OXAS-FRONTEND_pre8.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "XSS with non-app deeplinks like \"registry\""
},
{
"cve": "CVE-2023-24602",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-11-02T16:13:12+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "OXUIB-2033"
}
],
"notes": [
{
"category": "description",
"text": "External content, like post titles, have been evaluated as HTML when adding Tumblr feeds to the portal page."
}
],
"product_status": {
"first_fixed": [
"OXAS-FRONTEND_7.10.6-rev24",
"OXAS-FRONTEND_8.7"
],
"last_affected": [
"OXAS-FRONTEND_7.10.6-rev23",
"OXAS-FRONTEND_8.6"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2023-03-10T15:03:55+01:00",
"details": "Please deploy the provided updates and patch releases. We now insert untrusted external content as plain-text.",
"product_ids": [
"OXAS-FRONTEND_7.10.6-rev23",
"OXAS-FRONTEND_8.6"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-FRONTEND_7.10.6-rev23",
"OXAS-FRONTEND_8.6"
]
}
],
"threats": [
{
"category": "impact",
"details": "Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface and API. To exploit this an attacker would require temporary access to the users account, compromise a Tumblr feed or make the victim include a malicious feed."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "XSS at Tumblr portal widget due to missing content sanitization"
}
]
}
Loading...