lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <894694919.12710.1704704813063@appsuite-guard.open-xchange.com>
Date: Mon, 8 Jan 2024 10:06:53 +0100 (CET)
From: Martin Heiland via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] OXAS-ADV-2023-0006: OX App Suite Security Advisory

Dear subscribers,

We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX AppSuite, Dovecot and PowerDNS at YesWeHack.

This advisory has also been published at https://documentation.open-xchange.com/security/advisories/.

Yours sincerely,
    Martin Heiland, Open-Xchange GmbH



Internal reference: MWB-2315
Type: CWE-284 (Improper Access Control)
Component: backend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite backend 7.10.6-rev51, OX App Suite backend 8.17
First fixed revision: OX App Suite backend 7.10.6-rev52, OX App Suite backend 8.18
Discovery date: 2023-09-21
Solution date: 2023-09-24
Disclosure date: 2023-09-25
CVE: CVE-2023-29051
CVSS: 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

Details:
User-defined templates can bypass access control. User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case.

Risk:
Unauthorized users could discover and modify application state, including objects related to other users and contexts. No publicly available exploits are known.

Solution:
We now make sure that the switch to disable user-generated templates by default works as intended and will remove the feature in future generations of the product.



---



Internal reference: OXUIB-2532
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev34
First fixed revision: OX App Suite frontend 7.10.6-rev35
Discovery date: 2023-09-07
Solution date: 2023-09-24
Disclosure date: 2023-09-25
CVE: CVE-2023-29052
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Details:
XSS in upsell portal widget (shop disclaimer). Users were able to define disclaimer texts for an upsell shop dialog that would contain script code that was not sanitized correctly.

Risk:
Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. No publicly available exploits are known.

Solution:
We added sanitization for this content.



---



Internal reference: OXUIB-2533
Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
Component: frontend
Report confidence: Confirmed
Solution status: Fixed by vendor
Last affected revision: OX App Suite frontend 7.10.6-rev34
First fixed revision: OX App Suite frontend 7.10.6-rev35
Discovery date: 2023-09-07
Solution date: 2023-09-24
Disclosure date: 2023-09-25
CVE: CVE-2023-41710
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Details:
XSS in upsell portal widget (shop URL). User-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM.

Risk:
Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. No publicly available exploits are known.

Solution:
We added sanitization for this content.

Download attachment "signature.asc" of type "application/pgp-signature" (822 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ