oxas-adv-2024-0001
Vulnerability from csaf_ox
Published
2024-02-08 00:00
Modified
2024-04-25 00:00
Summary
OX App Suite Security Advisory OXAS-ADV-2024-0001
{
"document": {
"aggregate_severity": {
"text": "CRITICAL"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"lang": "en-US",
"publisher": {
"category": "vendor",
"name": "Open-Xchange GmbH",
"namespace": "https://open-xchange.com/"
},
"references": [
{
"category": "external",
"summary": "Release Notes",
"url": "https://documentation.open-xchange.com/appsuite/releases/8.21/"
},
{
"category": "external",
"summary": "Release Notes",
"url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6268_7.10.6_2024-02-08.pdf"
},
{
"category": "self",
"summary": "Canonical CSAF document",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0001.json"
},
{
"category": "self",
"summary": "Markdown representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/md/2024/oxas-adv-2024-0001.md"
},
{
"category": "self",
"summary": "HTML representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/html/2024/oxas-adv-2024-0001.html"
},
{
"category": "self",
"summary": "Plain-text representation",
"url": "https://documentation.open-xchange.com/appsuite/security/advisories/txt/2024/oxas-adv-2024-0001.txt"
},
{
"category": "external",
"summary": "Release Notes",
"url": "https://documentation.open-xchange.com/appsuite/releases/8.22/"
}
],
"title": "OX App Suite Security Advisory OXAS-ADV-2024-0001",
"tracking": {
"current_release_date": "2024-04-25T00:00:00+00:00",
"generator": {
"date": "2024-04-25T15:09:16+00:00",
"engine": {
"name": "OX CSAF",
"version": "1.0.0"
}
},
"id": "OXAS-ADV-2024-0001",
"initial_release_date": "2024-02-08T00:00:00+01:00",
"revision_history": [
{
"date": "2024-02-08T00:00:00+01:00",
"number": "1",
"summary": "Initial release"
},
{
"date": "2024-04-08T00:00:00+00:00",
"number": "2",
"summary": "Public release"
},
{
"date": "2024-04-11T00:00:00+00:00",
"number": "3",
"summary": "Public release"
},
{
"date": "2024-04-11T00:00:00+00:00",
"number": "4",
"summary": "Public release"
},
{
"date": "2024-04-25T00:00:00+00:00",
"number": "5",
"summary": "Public release"
},
{
"date": "2024-04-25T00:00:00+00:00",
"number": "6",
"summary": "Public release"
},
{
"date": "2024-04-25T00:00:00+00:00",
"number": "7",
"summary": "Public release"
}
],
"status": "final",
"version": "7"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "7.10.6-rev40",
"product": {
"name": "OX App Suite frontend 7.10.6-rev40",
"product_id": "OXAS-FRONTEND_7.10.6-rev40",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev40:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "7.6.3-rev54",
"product": {
"name": "OX App Suite frontend 7.6.3-rev54",
"product_id": "OXAS-FRONTEND_7.6.3-rev54",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev54:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.20",
"product": {
"name": "OX App Suite frontend 8.20",
"product_id": "OXAS-FRONTEND_8.20",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.20:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "7.10.6-rev41",
"product": {
"name": "OX App Suite frontend 7.10.6-rev41",
"product_id": "OXAS-FRONTEND_7.10.6-rev41",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev41:*:*:*:*:*:*",
"x_generic_uris": [
{
"namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
"uri": "urn:open-xchange:app_suite:patch-id:6268"
}
]
}
}
},
{
"category": "product_version",
"name": "7.6.3-rev55",
"product": {
"name": "OX App Suite frontend 7.6.3-rev55",
"product_id": "OXAS-FRONTEND_7.6.3-rev55",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev55:*:*:*:*:*:*",
"x_generic_uris": [
{
"namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
"uri": "urn:open-xchange:app_suite:patch-id:6268"
}
]
}
}
},
{
"category": "product_version",
"name": "8.21",
"product": {
"name": "OX App Suite frontend 8.21",
"product_id": "OXAS-FRONTEND_8.21",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.21:*:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "8.22",
"product": {
"name": "OX App Suite frontend 8.22",
"product_id": "OXAS-FRONTEND_8.22",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:app_suite:8.22:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "OX App Suite frontend"
},
{
"branches": [
{
"category": "product_version",
"name": "7.10.6-rev11",
"product": {
"name": "OX App Suite office 7.10.6-rev11",
"product_id": "OXAS-OFFICE_7.10.6-rev11",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:7.10.6:rev11:*:*:*:*:*:*"
}
}
},
{
"category": "product_version",
"name": "7.10.6-rev12",
"product": {
"name": "OX App Suite office 7.10.6-rev12",
"product_id": "OXAS-OFFICE_7.10.6-rev12",
"product_identification_helper": {
"cpe": "cpe:2.3:a:open-xchange:office:7.10.6:rev12:*:*:*:*:*:*",
"x_generic_uris": [
{
"namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
"uri": "urn:open-xchange:app_suite:patch-id:6268"
}
]
}
}
}
],
"category": "product_name",
"name": "OX App Suite office"
}
],
"category": "vendor",
"name": "Open-Xchange GmbH"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-23192",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-12-13T16:09:54+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "OXUIB-2660"
}
],
"notes": [
{
"category": "description",
"text": "RSS feeds that contain malicious data- attributes could be abused to inject script code to a users browser session when reading compromised RSS feeds or successfully luring users to compromised accounts."
}
],
"product_status": {
"first_fixed": [
"OXAS-FRONTEND_7.10.6-rev41",
"OXAS-FRONTEND_7.6.3-rev55",
"OXAS-FRONTEND_8.21"
],
"last_affected": [
"OXAS-FRONTEND_7.10.6-rev40",
"OXAS-FRONTEND_7.6.3-rev54",
"OXAS-FRONTEND_8.20"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-05T09:45:21+01:00",
"details": "Please deploy the provided updates and patch releases. Potentially malicious attributes now get removed from external RSS content.",
"product_ids": [
"OXAS-FRONTEND_7.10.6-rev40",
"OXAS-FRONTEND_7.6.3-rev54",
"OXAS-FRONTEND_8.20"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-FRONTEND_7.10.6-rev40",
"OXAS-FRONTEND_7.6.3-rev54",
"OXAS-FRONTEND_8.20"
]
}
],
"threats": [
{
"category": "impact",
"details": "Attackers could perform malicious API requests or extract information from the users account."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "XSS for RSS content using data-attributes"
},
{
"cve": "CVE-2024-23191",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2023-12-13T16:17:30+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "OXUIB-2663"
}
],
"notes": [
{
"category": "description",
"text": "Upsell advertisement information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts."
}
],
"product_status": {
"first_fixed": [
"OXAS-FRONTEND_7.10.6-rev41",
"OXAS-FRONTEND_7.6.3-rev55"
],
"last_affected": [
"OXAS-FRONTEND_7.10.6-rev40",
"OXAS-FRONTEND_7.6.3-rev54"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-02T09:56:42+01:00",
"details": "Please deploy the provided updates and patch releases. Sanitization of user-defined upsell content has been improved.",
"product_ids": [
"OXAS-FRONTEND_7.10.6-rev40",
"OXAS-FRONTEND_7.6.3-rev54"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-FRONTEND_7.10.6-rev40",
"OXAS-FRONTEND_7.6.3-rev54"
]
}
],
"threats": [
{
"category": "impact",
"details": "Attackers could perform malicious API requests or extract information from the users account."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "XSS using data- attributes at upsell ads"
},
{
"cve": "CVE-2024-23190",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2024-01-09T08:50:29+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "OXUIB-2688"
}
],
"notes": [
{
"category": "description",
"text": "Upsell shop information of an account can be manipulated to execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to a users account or an successful social engineering attack to lure users to maliciously configured accounts."
}
],
"product_status": {
"first_fixed": [
"OXAS-FRONTEND_7.10.6-rev41",
"OXAS-FRONTEND_7.6.3-rev55"
],
"last_affected": [
"OXAS-FRONTEND_7.10.6-rev40",
"OXAS-FRONTEND_7.6.3-rev54"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-02T09:50:15+01:00",
"details": "Please deploy the provided updates and patch releases. Sanitization of user-defined upsell content has been improved.",
"product_ids": [
"OXAS-FRONTEND_7.10.6-rev40",
"OXAS-FRONTEND_7.6.3-rev54"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-FRONTEND_7.10.6-rev40",
"OXAS-FRONTEND_7.6.3-rev54"
]
}
],
"threats": [
{
"category": "impact",
"details": "Attackers could perform malicious API requests or extract information from the users account."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "XSS using \"data\" attributes at upsell shop"
},
{
"cve": "CVE-2024-23189",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2024-01-09T08:55:58+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "OXUIB-2689"
}
],
"notes": [
{
"category": "description",
"text": "Embedded content references at tasks could be used to temporarily execute script code in the context of the users browser session. To exploit this an attacker would require temporary access to the users account, access to another account within the same context or an successful social engineering attack to make users import external content."
}
],
"product_status": {
"first_fixed": [
"OXAS-FRONTEND_7.10.6-rev41",
"OXAS-FRONTEND_7.6.3-rev55",
"OXAS-FRONTEND_8.21"
],
"last_affected": [
"OXAS-FRONTEND_7.10.6-rev40",
"OXAS-FRONTEND_7.6.3-rev54",
"OXAS-FRONTEND_8.20"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-01T13:36:07+01:00",
"details": "Please deploy the provided updates and patch releases. Sanitization of user-generated content has been improved.",
"product_ids": [
"OXAS-FRONTEND_7.10.6-rev40",
"OXAS-FRONTEND_7.6.3-rev54",
"OXAS-FRONTEND_8.20"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"OXAS-FRONTEND_7.10.6-rev40",
"OXAS-FRONTEND_7.6.3-rev54",
"OXAS-FRONTEND_8.20"
]
}
],
"threats": [
{
"category": "impact",
"details": "Attackers could perform malicious API requests or extract information from the users account."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "XSS using tasks \"original mail\" references"
},
{
"cve": "CVE-2023-46604",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2024-01-24T10:38:36+01:00",
"ids": [
{
"system_name": "OX Bug",
"text": "DOCS-5222"
}
],
"notes": [
{
"category": "description",
"text": "CVE-2023-46604 has been identified at the Apache ActiveMQ (AMQ) project which affects a version of that component shipped by OX App Suite components."
}
],
"product_status": {
"first_fixed": [
"OXAS-OFFICE_7.10.6-rev12"
],
"last_affected": [
"OXAS-OFFICE_7.10.6-rev11"
]
},
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-06T13:46:56+01:00",
"details": "Please deploy the provided updates and patch releases. We provide an updated version of the affected component that is not vulnerable.",
"product_ids": [
"OXAS-OFFICE_7.10.6-rev11"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"OXAS-OFFICE_7.10.6-rev11"
]
}
],
"threats": [
{
"category": "impact",
"details": "The vulnerability in AMQ can potentially be exploited in OX App Suite deployments, depending on network topology and configuration."
},
{
"category": "exploit_status",
"details": "No publicly available exploits are known."
}
],
"title": "CVE-2023-46604 regarding office/dcs"
}
]
}
Loading...