Vendor: OX Software GmbH
Affected product: OX App Suite
Internal reference: OXUIB-481
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev23, 7.10.4-rev14
Vendor notification: 2020-09-28
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28945
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
When searching for contacts in mobile mode (App Suite UI on a
smartphone), specific fields of a contact object were not properly
handled. This could lead to script execution in case the users
search would yield contacts with malicious data.
Risk:
Malicious script code can be executed within a users context. This
can lead to session hijacking or triggering unwanted actions via
the web interface (e.g. redirecting to a third-party site). To
exploit this an attacker would require the victim to execute a
specific action.
Steps to reproduce:
1. Create a malicious contact which contains script-code as
"position" or "company" value
2. Share the contact with the victim, for example within the same
context or as vcard file
3. Make the victim search for this contact in mobile mode
Solution:
We improved how search results in mobile mode are being constructed
and delivered, considering user-provided information as potentially
malicious.
---
Affected product: OX App Suite
Internal reference: OXUIB-491
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev23, 7.10.4-rev14
Vendor notification: 2020-10-01
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28945
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Details:
An undocumented component did not correctly handle user-generated
content when displaying the information to a user.
Risk:
Malicious script code can be executed within a users context. This
can lead to session hijacking or triggering unwanted actions via
the web interface (e.g. redirecting to a third-party site). To
exploit this an attacker would require the victim to follow a link
provided by the attacker.
Steps to reproduce:
1. Create or upload a malicious "Notes" item
2. Share that item with a user within the same context and make
them open it
Proof of concept:
xx
 yy
Solution:
We disabled the ability to launch the undocumented component for
the time being and therefore the risk of executing malicious
content as code.
---
Affected product: OX App Suite
Internal reference: OXUIB-509
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.10.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev23, 7.10.4-rev14
Vendor notification: 2020-10-12
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28945
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Details:
Contact "distribution lists" can be created in a way that they
contain script code which is being executed in "scheduling"
view.
Risk:
Malicious script code can be executed within a users context. This
can lead to session hijacking or triggering unwanted actions via
the web interface (e.g. redirecting to a third-party site). To
exploit this an attacker would require the victim to import data
and/or execute a specific action.
Steps to reproduce:
1. Create a malicious distribution list where a member contains
malicious script code as "common name"
2. Share the distribution list with the victim, for example within
the same context or as vcard file
3. Make the victim add this distribution list to "scheduling" view
in calendar
Proof of concept:
" " <img/src='x'/onerror='alert("XSS")'/[email protected]>
Solution:
We improved how the "scheduling" overview is being constructed and
delivered, considering user-provided information as potentially
malicious.
---
Affected product: OX App Suite
Internal reference: MWB-646
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.10.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.10.3-rev28, 7.10.4-rev14
Vendor notification: 2020-10-12
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28943
CVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Vulnerability Details:
Snippets are used to temporarily store content for internal
handling, for example when using mail signatures or E-Mail
attachments while moving them to Drive ("managed files"). The
identifier of those snippets could be defined via an API call and
are being used as reference when retrieving the file from any of
the caches. When timing this retrieval correctly and waiting for
cache eviction and garbage collection, those snippets could be used
to reference arbitrary network resources instead of a snippet
content while moving the snipped back from the distributed to the
local cache. Path traversal techniques could be used to escape the
predefined valid URI for those snippets.
Risk:
Arbitrary network resources could be requested by a malicious user
through the middleware, including those resources within a internal
trust boundary where OX App Suite middleware operates. In case of
web services, this could expose the response of the service to the
user. Services that use authentication or do not respond to GET
requests are not affected.
Steps to reproduce:
1. Create a snippet (e.g. image attachment) and use a malicious
identifier
2. Wait for a couple of minutes until the snippet expires from the
local map
3. Request the snippet to force it being requested from the
distributed map and use the malicious reference
Solution:
We now use URI encoding when retrieving distributed managed files
to avoid the ability to request resources out of scope for the
application. Independent from this, we suggest operators to use
existing Security Manager configuration to restrict network access
of the middleware process to a reasonable scope.
---
Affected product: OX Guard
Internal reference: GUARD-228
Vulnerability type: Denial Of Service (CWE-400)
Vulnerable version: 2.10.4 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.10.3-rev8, 2.10.4-rev5
Vendor notification: 2020-11-02
Solution date: 2020-11-23
Public disclosure: 2021-04-30
CVE reference: CVE-2020-28944
CVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)
Vulnerability Details:
WKS is being used as an option to retrieve a users public key
material for encrypted mail communication. In case an attacker
would setup malicious WKS infrastrucutre, OX Guard can be tricked
to keep connections open for a long period of time or process
unusually large chunks of data.
Risk:
OX Guard nodes could be forced to exhaust system resources like
network sockets, memory and connection pools. This would lead to
temporary unavailability of the service.
Steps to reproduce:
1. Setup a malicious WKS service, that responds very slowly and/or
with huge amounts of data
2. Add one or more E-Mail recipient in OX App Suite which domain is
handled by this malicious WKS service
Solution:
We added timeouts for both size and total connection duration to
avoid being stuck processing responses from malicious
sources.
