OX App Suite 7.10.5 Cross Site Scripting

`Product: OX App Suite  
Vendor: OX Software GmbH  
  
  
  
Internal reference: OXUIB-1092  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.10.5  
Vulnerable component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.5-rev26  
Vendor notification: 2021-11-15  
Solution date: 2021-12-14  
Public disclosure: 2022-03-21  
CVE reference: CVE-2021-44208  
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)  
  
Vulnerability Details:  
System messages at the OX Chat component are escaped to avoid injection of malicious code. However, this check is not performed for messages that are "unknown" to the system. Such messages do not occur during normal operations.  
  
Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink or compromise of chat components.  
  
Steps to reproduce:  
1. Maliciously modify the chat infrastructure to inject "unknown" messages that contain script code  
2. Make the victim connect to that infrastructure and request messages for their account  
  
Solution:  
We now sanitize "unknown" system messages, in case this scenario may ever happen in the wild.  
  
  
  
---  
  
  
  
Internal reference: MWB-1322  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.10.5 and earlier  
Vulnerable component: middleware  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.5-rev32  
Vendor notification: 2021-11-12  
Solution date: 2021-12-14  
Public disclosure: 2022-03-21  
CVE reference: CVE-2021-44209  
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)  
  
Vulnerability Details:  
Specific HTML5 tags and some attributes were not sufficiently considered when detecting malicious code thats being served as download.  
  
Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.  
  
Steps to reproduce:  
1. Upload a HTML5 document with specific tags, set a HTML file extension but a misleading media-type  
2. Share the file and make a victim click a hyperlink to that resource  
  
Proof of concept:  
<audio src="/appsuite/apps/themes/default/sounds/bell.ogg" onprogress="alert('XSS');" onsuspend="alert('XSS');" controls></audio>  
  
Solution:  
We improved HTML detection and examine a complete list of tags, attributes and event handlers.  
  
  
  
---  
  
  
  
Internal reference: MWB-1260  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.10.5 and earlier  
Vulnerable component: middleware  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.5-rev32  
Vendor notification: 2021-09-27  
Solution date: 2021-12-14  
Public disclosure: 2022-03-21  
CVE reference: CVE-2021-44210  
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)  
  
Vulnerability Details:  
Certain media formats (NIFF) in this case, were not detected to contain potentially harmful content. This can be exploited by an attacker by uploading malicious content in disguise. Some browsers will attempt to render NIFF sources as inline content.  
  
Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.  
  
Steps to reproduce:  
1. Generate malicious JS/HTML content and upload it as NIFF image, change the media-type accordingly  
2. Share that malicious code using "sharing"  
3. Make a victim follow a link to the malicious share  
  
Solution:  
We now detect NIFF as potentially malicious content and force browsers to download it.  
  
  
  
---  
  
  
  
Internal reference: MWB-1259  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.10.5 and earlier  
Vulnerable component: middleware  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.5-rev32  
Vendor notification: 2021-09-27  
Solution date: 2021-12-14  
Public disclosure: 2022-03-21  
CVE reference: CVE-2021-44211  
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)  
  
Vulnerability Details:  
HTML E-Mail signatures are processed by a sanitizer. This sanitizer can be tricked to generate malicious output by injecting seemingly benign garbled HTML code.  
  
Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require some level of access to the victims account, context and pull off a social engineering attack.  
  
Steps to reproduce:  
1. Create a malicious E-Mail signature  
2. Share and make a victim select that E-Mail signature  
  
Proof of concept:  
<img src class="src=cid:asd onerror=alert('XSS')//">  
  
Solution:  
We now check the HTML "class" attribute for potential malicious content for HTML E-Mail signatures.  
  
  
  
---  
  
  
  
Internal reference: MWB-1219  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.10.5 and earlier  
Vulnerable component: middleware  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.5-rev32  
Vendor notification: 2021-08-17  
Solution date: 2021-12-14  
Public disclosure: 2022-03-21  
CVE reference: CVE-2021-44212  
CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)  
  
Vulnerability Details:  
Script tags at HTML content can be obfuscated by using trailing control commands to bypass existing sanitizers.  
  
Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.  
  
Steps to reproduce:  
1. Create malicious script code and obfuscate HTML tags using control characters  
2. Share the malicious code and make a victim click a link that points to this code  
  
Proof of concept:  
<script\t>alert("XSS");</script\t>  
  
Solution:  
We now improve detection of obfuscated HTML tags.  
  
  
  
---  
  
  
  
Internal reference: MWB-1216  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.10.5 and earlier  
Vulnerable component: middleware  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.10.5-rev32  
Vendor notification: 2021-08-13  
Solution date: 2021-12-14  
Public disclosure: 2022-03-21  
CVE reference: CVE-2021-44213  
CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)  
  
Vulnerability Details:  
Binary uu-encoded content at multipart/alternative E-Mails is processed as mail body without sanitization in certain cases.  
  
Risk:  
Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this the victim needs to interact with the message.  
  
Steps to reproduce:  
1. Generate a malicious mail with binary unix-to-unix content and a specific header structure, add placeholder content to trigger the "Show entire message" feature  
2. Send that E-Mail to the victim  
3. As the victim, select the message and follow the "Show entire content" link  
  
Proof of concept:  
?/'-C<FEP=#YA;&5R="@B6%-3(BD[/"]S8W)I<'0^"@`` becomes <script>alert("XSS");</script>  
  
Solution:  
We now advertise uu-encoded E-Mail parts as file attachment rather than the mail body.  
`