Vulnerability-Lookup

OXAS-ADV-2024-0003

Vulnerability from csaf_ox - Published: 2024-04-24 00:00 - Updated: 2024-08-19 00:00

Summary

OX App Suite Security Advisory OXAS-ADV-2024-0003

Severity

Medium

CVE-2024-25710

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects a Apache Commons Compress library shipped with OX App Suite.

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Affected products

Last affected 2 products

Product	Identifier	Version	Remediation
OX App Suite backend 7.10.6-rev61 Open-Xchange GmbH / OX App Suite backend	`cpe:2.3:a:open-xchange:app_suite:7.10.6:rev61::::::`	7.10.6-rev61	Vendor Fix
OX App Suite backend 8.22 Open-Xchange GmbH / OX App Suite backend	`cpe:2.3:a:open-xchange:app_suite:8.22:::::::*`	8.22	Vendor Fix

First fixed 2 products

Product	Identifier	Version	Remediation
OX App Suite backend 7.10.6-rev62 Open-Xchange GmbH / OX App Suite backend	`cpe:2.3:a:open-xchange:app_suite:7.10.6:rev62::::::`	7.10.6-rev62
OX App Suite backend 8.23 Open-Xchange GmbH / OX App Suite backend	`cpe:2.3:a:open-xchange:app_suite:8.23:::::::*`	8.23

Threats

Impact The vulnerability can potentially be exploited through OX App Suite and affect availability of the service.

Exploit Status No publicly available exploits are known.

CVE-2024-25582

Module savepoints could be abused to inject references to malicious code delivered through the same domain.

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected products

Last affected 1 product

Product	Identifier	Version	Remediation
OX App Suite frontend 7.10.6-rev42 Open-Xchange GmbH / OX App Suite frontend	`cpe:2.3:a:open-xchange:app_suite:7.10.6:rev42::::::`	7.10.6-rev42	Vendor Fix

First fixed 1 product

Product	Identifier	Version	Remediation
OX App Suite frontend 7.10.6-rev43 Open-Xchange GmbH / OX App Suite frontend	`cpe:2.3:a:open-xchange:app_suite:7.10.6:rev43::::::`	7.10.6-rev43

Threats

Impact Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account.

Exploit Status No publicly available exploits are known.

CVE-2021-41184

JQuery third-party components with known vulnerabilities have been shipped.

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Affected products

Last affected 1 product

Product	Identifier	Version	Remediation
OX App Suite frontend 7.10.6-rev42 Open-Xchange GmbH / OX App Suite frontend	`cpe:2.3:a:open-xchange:app_suite:7.10.6:rev42::::::`	7.10.6-rev42	Vendor Fix

First fixed 1 product

Product	Identifier	Version	Remediation
OX App Suite frontend 7.10.6-rev43 Open-Xchange GmbH / OX App Suite frontend	`cpe:2.3:a:open-xchange:app_suite:7.10.6:rev43::::::`	7.10.6-rev43

Threats

Impact This update serves as a preventive measure since no practical exploitation in the context of OX App Suite is feasible.

Exploit Status No publicly available exploits are known.

References

5 references

URL	Category
https://software.open-xchange.com/products/appsui…	external
https://documentation.open-xchange.com/appsuite/s…	self
https://documentation.open-xchange.com/appsuite/s…	self
https://documentation.open-xchange.com/appsuite/s…	self
https://documentation.open-xchange.com/appsuite/s…	self

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "MEDIUM"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "lang": "en-US",
    "publisher": {
      "category": "vendor",
      "name": "Open-Xchange GmbH",
      "namespace": "https://open-xchange.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Release Notes",
        "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6277_7.10.6_2024-05-06.pdf"
      },
      {
        "category": "self",
        "summary": "Canonical CSAF document",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0003.json"
      },
      {
        "category": "self",
        "summary": "Markdown representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/md/2024/oxas-adv-2024-0003.md"
      },
      {
        "category": "self",
        "summary": "HTML representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/html/2024/oxas-adv-2024-0003.html"
      },
      {
        "category": "self",
        "summary": "Plain-text representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/txt/2024/oxas-adv-2024-0003.txt"
      }
    ],
    "title": "OX App Suite Security Advisory OXAS-ADV-2024-0003",
    "tracking": {
      "current_release_date": "2024-08-19T00:00:00+00:00",
      "generator": {
        "date": "2024-08-19T07:26:47+00:00",
        "engine": {
          "name": "OX CSAF",
          "version": "1.0.0"
        }
      },
      "id": "OXAS-ADV-2024-0003",
      "initial_release_date": "2024-04-24T00:00:00+02:00",
      "revision_history": [
        {
          "date": "2024-04-24T00:00:00+02:00",
          "number": "1",
          "summary": "Initial release"
        },
        {
          "date": "2024-08-19T00:00:00+00:00",
          "number": "2",
          "summary": "Public release"
        },
        {
          "date": "2024-08-19T00:00:00+00:00",
          "number": "3",
          "summary": "Public release"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.10.6-rev61",
                "product": {
                  "name": "OX App Suite backend 7.10.6-rev61",
                  "product_id": "OXAS-BACKEND_7.10.6-rev61",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev61:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.22",
                "product": {
                  "name": "OX App Suite backend 8.22",
                  "product_id": "OXAS-BACKEND_8.22",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.22:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev62",
                "product": {
                  "name": "OX App Suite backend 7.10.6-rev62",
                  "product_id": "OXAS-BACKEND_7.10.6-rev62",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev62:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.23",
                "product": {
                  "name": "OX App Suite backend 8.23",
                  "product_id": "OXAS-BACKEND_8.23",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.23:*:*:*:*:*:*:*"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OX App Suite backend"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.10.6-rev42",
                "product": {
                  "name": "OX App Suite frontend 7.10.6-rev42",
                  "product_id": "OXAS-FRONTEND_7.10.6-rev42",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev42:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev43",
                "product": {
                  "name": "OX App Suite frontend 7.10.6-rev43",
                  "product_id": "OXAS-FRONTEND_7.10.6-rev43",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev43:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6277"
                      }
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OX App Suite frontend"
          }
        ],
        "category": "vendor",
        "name": "Open-Xchange GmbH"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-25710",
      "cwe": {
        "id": "CWE-835",
        "name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
      },
      "discovery_date": "2024-03-01T16:15:20+01:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-2525"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in Apache Commons Compress. This issue affects a Apache Commons Compress library shipped with OX App Suite."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.6-rev62",
          "OXAS-BACKEND_8.23"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.6-rev61",
          "OXAS-BACKEND_8.22"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-04-11T14:13:57+02:00",
          "details": "Please deploy the provided updates and patch releases. We have updated the vulnerable library as a precaution to avoid potential exploitation.",
          "product_ids": [
            "OXAS-BACKEND_7.10.6-rev61",
            "OXAS-BACKEND_8.22"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.6-rev61",
            "OXAS-BACKEND_8.22"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "The vulnerability can potentially be exploited through OX App Suite and affect availability of the service."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Apache Commons Compress library is prone to a denial of service (DoS) vulnerability."
    },
    {
      "cve": "CVE-2024-25582",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2024-01-30T08:49:22+01:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "OXUIB-2718"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Module savepoints could be abused to inject references to malicious code delivered through the same domain."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-FRONTEND_7.10.6-rev43"
        ],
        "last_affected": [
          "OXAS-FRONTEND_7.10.6-rev42"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-04-04T15:19:41+02:00",
          "details": "Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules.",
          "product_ids": [
            "OXAS-FRONTEND_7.10.6-rev42"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-FRONTEND_7.10.6-rev42"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "XSS using arbitrary relative path to UI module"
    },
    {
      "cve": "CVE-2021-41184",
      "cwe": {
        "id": "CWE-80",
        "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
      },
      "discovery_date": "2024-01-15T14:01:36+01:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "OXUIB-2699"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "JQuery third-party components with known vulnerabilities have been shipped."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-FRONTEND_7.10.6-rev43"
        ],
        "last_affected": [
          "OXAS-FRONTEND_7.10.6-rev42"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-03-28T15:13:17+01:00",
          "details": "Please deploy the provided updates and patch releases. The relevant components have been updated to mitigate potential exploitation.",
          "product_ids": [
            "OXAS-FRONTEND_7.10.6-rev42"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-FRONTEND_7.10.6-rev42"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "This update serves as a preventive measure since no practical exploitation in the context of OX App Suite is feasible."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Outdated jquery-ui shipped with 7.10.6"
    }
  ]
}

CVE-2021-41184 (GCVE-0-2021-41184)

Vulnerability from cvelistv5 – Published: 2021-10-26 00:00 – Updated: 2025-11-04 16:09

Title

XSS in the `of` option of the `.position()` util

Summary

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

14 references

URL	Tags
https://blog.jqueryui.com/2021/10/jquery-ui-1-13-…
https://github.com/jquery/jquery-ui/security/advi…
https://github.com/jquery/jquery-ui/commit/effa32…
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
https://security.netapp.com/advisory/ntap-2021111…
https://www.drupal.org/sa-core-2022-001
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.tenable.com/security/tns-2022-09
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
https://lists.debian.org/debian-lts-announce/2023…

Impacted products

1 product

Vendor	Product	Version
jquery	jquery-ui	Affected: < 1.13.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T16:09:17.971Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280"
          },
          {
            "name": "FEDORA-2021-51c256bf87",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/"
          },
          {
            "name": "FEDORA-2021-ab38307fc3",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/"
          },
          {
            "name": "FEDORA-2021-013ab302be",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20211118-0004/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.drupal.org/sa-core-2022-001"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/tns-2022-09"
          },
          {
            "name": "FEDORA-2022-9d655503ea",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/"
          },
          {
            "name": "FEDORA-2022-bf18450366",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
          },
          {
            "url": "http://seclists.org/fulldisclosure/2024/Aug/37"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jquery-ui",
          "vendor": "jquery",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.13.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-31T02:06:17.867Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://blog.jqueryui.com/2021/10/jquery-ui-1-13-0-released/"
        },
        {
          "url": "https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327"
        },
        {
          "url": "https://github.com/jquery/jquery-ui/commit/effa323f1505f2ce7a324e4f429fa9032c72f280"
        },
        {
          "name": "FEDORA-2021-51c256bf87",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O74SXYY7RGXREQDQUDQD4BPJ4QQTD2XQ/"
        },
        {
          "name": "FEDORA-2021-ab38307fc3",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SNXA7XRKGINWSUIPIZ6ZBCTV6N3KSHES/"
        },
        {
          "name": "FEDORA-2021-013ab302be",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXIUUBRVLA4E7G7MMIKCEN75YN7UFERW/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20211118-0004/"
        },
        {
          "url": "https://www.drupal.org/sa-core-2022-001"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "url": "https://www.tenable.com/security/tns-2022-09"
        },
        {
          "name": "FEDORA-2022-9d655503ea",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/"
        },
        {
          "name": "FEDORA-2022-bf18450366",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html"
        }
      ],
      "source": {
        "advisory": "GHSA-gpqq-952q-5327",
        "discovery": "UNKNOWN"
      },
      "title": "XSS in the `of` option of the `.position()` util"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41184",
    "datePublished": "2021-10-26T00:00:00.000Z",
    "dateReserved": "2021-09-15T00:00:00.000Z",
    "dateUpdated": "2025-11-04T16:09:17.971Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-25582 (GCVE-0-2024-25582)

Vulnerability from cvelistv5 – Published: 2024-08-19 06:59 – Updated: 2025-11-04 16:11

Summary

Module savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules. No publicly available exploits are known.

Severity

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

References

2 references

URL	Tags
https://software.open-xchange.com/products/appsui…	release-notes
https://documentation.open-xchange.com/appsuite/s…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Open-Xchange GmbH	OX App Suite	Affected: 0 , ≤ 7.10.6-rev42 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-25582",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-19T13:30:47.579319Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-03T17:56:58.762Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T16:11:22.622Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://seclists.org/fulldisclosure/2024/Aug/37"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "frontend"
          ],
          "product": "OX App Suite",
          "vendor": "Open-Xchange GmbH",
          "versions": [
            {
              "lessThanOrEqual": "7.10.6-rev42",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Module savepoints could be abused to inject references to malicious code delivered through the same domain. Attackers could perform malicious API requests or extract information from the users account. Exploiting this vulnerability requires temporary access to an account or successful social engineering to make a user follow a prepared link to a malicious account. Please deploy the provided updates and patch releases. The savepoint module path has been restricted to modules that provide the feature, excluding any arbitrary or non-existing modules. No publicly available exploits are known."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "cwe"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-19T07:26:52.397Z",
        "orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
        "shortName": "OX"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6277_7.10.6_2024-05-06.pdf"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2024/oxas-adv-2024-0003.json"
        }
      ],
      "source": {
        "defect": "OXUIB-2718",
        "discovery": "INTERNAL"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
    "assignerShortName": "OX",
    "cveId": "CVE-2024-25582",
    "datePublished": "2024-08-19T06:59:17.511Z",
    "dateReserved": "2024-02-08T08:15:37.204Z",
    "dateUpdated": "2025-11-04T16:11:22.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-25710 (GCVE-0-2024-25710)

Vulnerability from cvelistv5 – Published: 2024-02-19 08:33 – Updated: 2025-11-04 16:11

Title

Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file

Summary

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Assigner

apache

References

3 references

URL	Tags
https://lists.apache.org/thread/cz8qkcwphy4cx8glt…	vendor-advisory
http://www.openwall.com/lists/oss-security/2024/02/19/1
https://security.netapp.com/advisory/ntap-2024030…

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Commons Compress	Affected: 1.3 , ≤ 1.25.0 (semver)

Credits

Yakov Shafranovich, Amazon Web Services

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-25710",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-20T16:19:19.175447Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-05T17:21:44.416Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T16:11:24.559Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/02/19/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240307-0010/"
          },
          {
            "url": "http://seclists.org/fulldisclosure/2024/Aug/37"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2/",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.commons:commons-compress",
          "product": "Apache Commons Compress",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.25.0",
              "status": "affected",
              "version": "1.3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Yakov Shafranovich, Amazon Web Services"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in Apache Commons Compress.\u003cp\u003eThis issue affects Apache Commons Compress: from 1.3 through 1.25.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.26.0 which fixes the issue.\u003c/p\u003e"
            }
          ],
          "value": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027) vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.\n\nUsers are recommended to upgrade to version 1.26.0 which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-835",
              "description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-07T17:06:33.636Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/02/19/1"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240307-0010/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2024-25710",
    "datePublished": "2024-02-19T08:33:40.627Z",
    "dateReserved": "2024-02-10T23:44:45.963Z",
    "dateUpdated": "2025-11-04T16:11:24.559Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OXAS-ADV-2024-0003

CVE-2021-41184 (GCVE-0-2021-41184)

CVE-2024-25582 (GCVE-0-2024-25582)

CVE-2024-25710 (GCVE-0-2024-25710)

Tags

Sightings

Nomenclature