OXAS-ADV-2025-0001

Vulnerability from csaf_ox - Published: 2025-01-27 00:00 - Updated: 2025-04-07 00:00
Summary
OX App Suite Security Advisory OXAS-ADV-2025-0001
Severity
Critical
Notes
Terms of Use: This content is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License (https://creativecommons.org/licenses/by-nd/4.0/). If you distribute this content, you must provide attribution to Open-Xchange GmbH and provide a link to the original. You may not distribute a modified version of this content.
CVE-2024-47875

The DOMPurify third-party library has been updated to resolve known vulnerabilities.

10.0 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected products
Product Identifier Version Remediation
OX App Suite frontend 7.10.6-rev49
Open-Xchange GmbH / OX App Suite frontend
 cpe:2.3:a:open-xchange:app_suite:7.10.6:rev49:*:*:*:*:*:* 7.10.6-rev49
Vendor Fix
Product Identifier Version Remediation
OX App Suite frontend 7.10.6-rev50
Open-Xchange GmbH / OX App Suite frontend
 cpe:2.3:a:open-xchange:app_suite:7.10.6:rev50:*:*:*:*:*:* 7.10.6-rev50
Threats
Impact This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite.
Exploit Status No publicly available exploits are known.
CVE-2022-0839

Several third-party libraries have been updated to resolve known vulnerabilities. This includes H2, Xalan, Liquibase and Spring Boot.

9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-611 - Improper Restriction of XML External Entity Reference
Affected products
Product Identifier Version Remediation
OX App Suite office 7.10.6-rev15
Open-Xchange GmbH / OX App Suite office
 cpe:2.3:a:open-xchange:office:7.10.6:rev15:*:*:*:*:*:* 7.10.6-rev15
Vendor Fix
Product Identifier Version Remediation
OX App Suite office 7.10.6-rev16
Open-Xchange GmbH / OX App Suite office
 cpe:2.3:a:open-xchange:office:7.10.6:rev16:*:*:*:*:*:* 7.10.6-rev16
Threats
Impact This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite.
Exploit Status No publicly available exploits are known.
CVE-2021-23358

Several third-party libraries have been updated to resolve known vulnerabilities. This includes grunt, dompurify, codecept, underscore and requirejs.

7.2 (High)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected products
Product Identifier Version Remediation
OX App Suite office 7.10.6-rev11
Open-Xchange GmbH / OX App Suite office
 cpe:2.3:a:open-xchange:office:7.10.6:rev11:*:*:*:*:*:* 7.10.6-rev11
Vendor Fix
Product Identifier Version Remediation
OX App Suite office 7.10.6-rev12
Open-Xchange GmbH / OX App Suite office
 cpe:2.3:a:open-xchange:office:7.10.6:rev12:*:*:*:*:*:* 7.10.6-rev12
Threats
Impact This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite.
Exploit Status No publicly available exploits are known.
References
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "text": "CRITICAL"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Open-Xchange GmbH. All rights reserved.",
      "tlp": {
        "label": "GREEN",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution-NoDerivatives 4.0 International License (https://creativecommons.org/licenses/by-nd/4.0/). If you distribute this content, you must provide attribution to Open-Xchange GmbH and provide a link to the original. You may not distribute a modified version of this content.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "name": "Open-Xchange GmbH",
      "namespace": "https://open-xchange.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Release Notes",
        "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6304_7.10.6_2025-02-03.pdf"
      },
      {
        "category": "self",
        "summary": "Canonical CSAF document",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0001.json"
      },
      {
        "category": "self",
        "summary": "Markdown representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/md/2025/oxas-adv-2025-0001.md"
      },
      {
        "category": "self",
        "summary": "HTML representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/html/2025/oxas-adv-2025-0001.html"
      },
      {
        "category": "self",
        "summary": "Plain-text representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/txt/2025/oxas-adv-2025-0001.txt"
      }
    ],
    "title": "OX App Suite Security Advisory OXAS-ADV-2025-0001",
    "tracking": {
      "current_release_date": "2025-04-07T00:00:00+00:00",
      "generator": {
        "date": "2025-04-07T06:54:13+00:00",
        "engine": {
          "name": "OX CSAF",
          "version": "1.0.0"
        }
      },
      "id": "OXAS-ADV-2025-0001",
      "initial_release_date": "2025-01-27T00:00:00+01:00",
      "revision_history": [
        {
          "date": "2025-01-27T00:00:00+01:00",
          "number": "1",
          "summary": "Initial release"
        },
        {
          "date": "2025-04-07T00:00:00+00:00",
          "number": "2",
          "summary": "Public release"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.10.6-rev49",
                "product": {
                  "name": "OX App Suite frontend 7.10.6-rev49",
                  "product_id": "OXAS-FRONTEND_7.10.6-rev49",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev49:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev50",
                "product": {
                  "name": "OX App Suite frontend 7.10.6-rev50",
                  "product_id": "OXAS-FRONTEND_7.10.6-rev50",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev50:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6304"
                      }
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OX App Suite frontend"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.10.6-rev15",
                "product": {
                  "name": "OX App Suite office 7.10.6-rev15",
                  "product_id": "OXAS-OFFICE_7.10.6-rev15",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:office:7.10.6:rev15:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev16",
                "product": {
                  "name": "OX App Suite office 7.10.6-rev16",
                  "product_id": "OXAS-OFFICE_7.10.6-rev16",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:office:7.10.6:rev16:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6304"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev11",
                "product": {
                  "name": "OX App Suite office 7.10.6-rev11",
                  "product_id": "OXAS-OFFICE_7.10.6-rev11",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:office:7.10.6:rev11:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev12",
                "product": {
                  "name": "OX App Suite office 7.10.6-rev12",
                  "product_id": "OXAS-OFFICE_7.10.6-rev12",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:office:7.10.6:rev12:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6304"
                      }
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OX App Suite office"
          }
        ],
        "category": "vendor",
        "name": "Open-Xchange GmbH"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47875",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2024-12-13T10:21:37.494000+01:00",
      "ids": [
        {
          "system_name": "GitLab Issue",
          "text": "appsuite/web-apps/ui#785"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The DOMPurify third-party library has been updated to resolve known vulnerabilities."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-FRONTEND_7.10.6-rev50"
        ],
        "last_affected": [
          "OXAS-FRONTEND_7.10.6-rev49"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-01-08T08:55:19.495000+01:00",
          "details": "Third-party libraries have been updated.",
          "product_ids": [
            "OXAS-FRONTEND_7.10.6-rev49"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10.0,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "OXAS-FRONTEND_7.10.6-rev49"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Vulnerable DOMPurify shipped with App Suite 7.10.6 and 7.6.3"
    },
    {
      "cve": "CVE-2022-0839",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2023-09-12T10:35:52+02:00",
      "ids": [
        {
          "system_name": "JIRA OX Bug",
          "text": "DOCS-5081"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Several third-party libraries have been updated to resolve known vulnerabilities. This includes H2, Xalan, Liquibase and Spring Boot."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-OFFICE_7.10.6-rev16"
        ],
        "last_affected": [
          "OXAS-OFFICE_7.10.6-rev15"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-12-03T16:27:44+01:00",
          "details": "Third-party libraries have been updated.",
          "product_ids": [
            "OXAS-OFFICE_7.10.6-rev15"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "OXAS-OFFICE_7.10.6-rev15"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Resolving third-party vulnerabilities in the office master (7.10.6) repo"
    },
    {
      "cve": "CVE-2021-23358",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2024-12-12T10:50:59+01:00",
      "ids": [
        {
          "system_name": "JIRA OX Bug",
          "text": "DOCS-5338"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Several third-party libraries have been updated to resolve known vulnerabilities. This includes grunt, dompurify, codecept, underscore and requirejs."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-OFFICE_7.10.6-rev12"
        ],
        "last_affected": [
          "OXAS-OFFICE_7.10.6-rev11"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-01-27T16:08:03+01:00",
          "details": "Third-party libraries have been updated.",
          "product_ids": [
            "OXAS-OFFICE_7.10.6-rev11"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "OXAS-OFFICE_7.10.6-rev11"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "This is done as a precautionary measure, at this time none of the related vulnerabilities is known to be exploitable in context of OX App Suite."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Resolving third-party vulnerabilities in the office-ui master (7.10.6) repo"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.