Vulners
Lucene search
OX Guard 2.10.3 Cross Site Scripting / Server-Side Request Forgery
🗓️ 12 Jun 2020 00:00:00Reported by Martin HeilandType 
packetstorm🔗 packetstormsecurity.com👁 475 Views
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | OX Guard 2.10.3 Cross Site Scripting / Server-Side Request Forgery Vulnerabilities | 15 Jun 202000:00 | – | zdt |
 | Open-Xchange OX Guard Code Issue Vulnerability | 16 Jun 202000:00 | – | cnvd |
| Open-Xchange OX Guard Cross-Site Scripting Vulnerability (CNVD-2020-53118) | 16 Jun 202000:00 | – | cnvd |
 | CVE-2020-9426 | 15 Jun 202014:55 | – | cve |
| CVE-2020-9427 | 15 Jun 202014:52 | – | cve |
 | CVE-2020-9426 | 15 Jun 202014:55 | – | cvelist |
| CVE-2020-9427 | 15 Jun 202014:52 | – | cvelist |
 | EUVD-2020-30246 | 7 Oct 202500:30 | – | euvd |
| EUVD-2020-30247 | 7 Oct 202500:30 | – | euvd |
 | CVE-2020-9426 | 15 Jun 202015:15 | – | nvd |
10
`Product: OX Guard
Vendor: OX Software GmbH
Internal reference: GUARD-179
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 2.10.3
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.10.2-rev9, 2.10.3-rev4
Vendor notification: 2020-02-04
Solution date: 2020-03-06
Public disclosure: 2020-06-12
CVE reference: CVE-2020-9426
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Comments within forged malicious public-keys could contain HTML and Javascript that was not properly sanitized before displaying at Guard settings. Through autocrypt and other mechanisms such keys could get imported without noticing their malicious content.
Risk:
Users can trigger API calls that invoke local URLs, if a host can be accessed a different error will be returned compared to unavailable hosts. This can be used to discover an internal network topology and services.
Steps to reproduce:
1. Create a PGP keypair
2. Use HTML and JS as part of the public keys comment section
3. Distribute this key through mail attachments, autocrypt or HKP
Solution:
We improved our sanitizing and ensure that external content such as comments are handled safely.
---
Internal reference: GUARD-182
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 2.10.3
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.10.2-rev9, 2.10.3-rev4
Vendor notification: 2020-02-11
Solution date: 2020-03-06
Public disclosure: 2020-06-12
CVE reference: CVE-2020-9427
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
HKP/HKPS key discovery mechanisms are based on DNS service records. Those are probed to look up unknown public-keys but were insufficiently checked for sensitive resource locations.
Risk:
In case of a malicious DNS server or domain, an attacker could use this technique to redirect HTTP requests to internal networks. Taking timing and response codes into consideration this can be used to determine if a specific port at a internal system is open or not, leading to basic network discovery capabilities for the attacker.
Steps to reproduce:
1. Setup a malicious domain with HKP/HKPS service records, point them to a malicious HKP responder
2. At the malicious HKP responder, issue HTTP redirects targetting internal hosts like 127.0.0.1
Solution:
We now run HKP responses through existing blacklist mechanisms to avoid accessing internal network resources.
---
Internal reference: GUARD-183
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 2.10.3
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.10.2-rev9, 2.10.3-rev4
Vendor notification: 2020-02-11
Solution date: 2020-03-06
Public disclosure: 2020-06-12
CVE reference: CVE-2020-9427
CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)
Vulnerability Details:
WKS/Webkey services discovery mechanisms are based on DNS service records. Those are probed to look up unknown public-keys but were insufficiently checked for sensitive resource locations.
Risk:
In case of a malicious DNS server or domain, an attacker could use this technique to redirect HTTP requests to internal networks. Taking timing and response codes into consideration this can be used to determine if a specific port at a internal system is open or not, leading to basic network discovery capabilities for the attacker. Mind that this attack gets mitigated when using DNSSEC, but depending on configuration this might get bypassed or not used.
Steps to reproduce:
1. Setup a malicious domain with WKS/Webkey service records, point them to a malicious WKS responder
2. At the malicious WKS responder, issue HTTP redirects targetting internal hosts like 127.0.0.1
Solution:
We now run WKS responses through existing blacklist mechanisms to avoid accessing internal network resources.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Jun 2020 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.00528