DATABASE RESOURCES PRICING ABOUT US

{"id": "PACKETSTORM:162406", "type": "packetstorm", "bulletinFamily": "exploit", "title": "OX App Suite / OX Guard SSRF / DoS / Cross Site Scripting", "description": "", "published": "2021-04-30T00:00:00", "modified": "2021-04-30T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/162406/OX-App-Suite-OX-Guard-SSRF-DoS-Cross-Site-Scripting.html", "reporter": "Martin Heiland", "references": [], "cvelist": ["CVE-2020-28943", "CVE-2020-28944", "CVE-2020-28945"], "immutableFields": [], "lastseen": "2021-04-30T15:33:35", "viewCount": 238, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-28943", "CVE-2020-28944", "CVE-2020-28945"]}], "rev": 4}, "score": {"value": 4.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-28943", "CVE-2020-28944", "CVE-2020-28945", "CVE-2021-31934", "CVE-2021-31935"]}]}, "exploitation": null, "vulnersScore": 4.7}, "sourceHref": "https://packetstormsecurity.com/files/download/162406/oxappsuiteguard-xssdosssrf.txt", "sourceData": "`Product: OX App Suite / OX Guard \nVendor: OX Software GmbH \n \n \n \nAffected product: OX App Suite \nInternal reference: OXUIB-481 \nVulnerability type: Cross-Site Scripting (CWE-80) \nVulnerable version: 7.10.4 and earlier \nVulnerable component: frontend \nReport confidence: Confirmed \nSolution status: Fixed by Vendor \nFixed version: 7.10.3-rev23, 7.10.4-rev14 \nVendor notification: 2020-09-28 \nSolution date: 2020-11-23 \nPublic disclosure: 2021-04-30 \nCVE reference: CVE-2020-28945 \nCVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) \n \nVulnerability Details: \nWhen searching for contacts in mobile mode (App Suite UI on a smartphone), specific fields of a contact object were not properly handled. This could lead to script execution in case the users search would yield contacts with malicious data. \n \nRisk: \nMalicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to execute a specific action. \n \nSteps to reproduce: \n1. Create a malicious contact which contains script-code as \"position\" or \"company\" value \n2. Share the contact with the victim, for example within the same context or as vcard file \n3. Make the victim search for this contact in mobile mode \n \nSolution: \nWe improved how search results in mobile mode are being constructed and delivered, considering user-provided information as potentially malicious. \n \n \n \n--- \n \n \n \nAffected product: OX App Suite \nInternal reference: OXUIB-491 \nVulnerability type: Cross-Site Scripting (CWE-80) \nVulnerable version: 7.10.4 and earlier \nVulnerable component: frontend \nReport confidence: Confirmed \nSolution status: Fixed by Vendor \nFixed version: 7.10.3-rev23, 7.10.4-rev14 \nVendor notification: 2020-10-01 \nSolution date: 2020-11-23 \nPublic disclosure: 2021-04-30 \nCVE reference: CVE-2020-28945 \nCVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \nVulnerability Details: \nAn undocumented component did not correctly handle user-generated content when displaying the information to a user. \n \nRisk: \nMalicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a link provided by the attacker. \n \nSteps to reproduce: \n1. Create or upload a malicious \"Notes\" item \n2. Share that item with a user within the same context and make them open it \n \nProof of concept: \nxx  yy \n \nSolution: \nWe disabled the ability to launch the undocumented component for the time being and therefore the risk of executing malicious content as code. \n \n \n \n--- \n \n \n \nAffected product: OX App Suite \nInternal reference: OXUIB-509 \nVulnerability type: Cross-Site Scripting (CWE-80) \nVulnerable version: 7.10.4 and earlier \nVulnerable component: frontend \nReport confidence: Confirmed \nSolution status: Fixed by Vendor \nFixed version: 7.10.3-rev23, 7.10.4-rev14 \nVendor notification: 2020-10-12 \nSolution date: 2020-11-23 \nPublic disclosure: 2021-04-30 \nCVE reference: CVE-2020-28945 \nCVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \nVulnerability Details: \nContact \"distribution lists\" can be created in a way that they contain script code which is being executed in \"scheduling\" view. \n \nRisk: \nMalicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to import data and/or execute a specific action. \n \nSteps to reproduce: \n1. Create a malicious distribution list where a member contains malicious script code as \"common name\" \n2. Share the distribution list with the victim, for example within the same context or as vcard file \n3. Make the victim add this distribution list to \"scheduling\" view in calendar \n \nProof of concept: \n\" \" <img/src='x'/onerror='alert(\"XSS\")'/cut=@example.com> \n \nSolution: \nWe improved how the \"scheduling\" overview is being constructed and delivered, considering user-provided information as potentially malicious. \n \n \n \n--- \n \n \n \nAffected product: OX App Suite \nInternal reference: MWB-646 \nVulnerability type: Server-Side Request Forgery (CWE-918) \nVulnerable version: 7.10.4 and earlier \nVulnerable component: backend \nReport confidence: Confirmed \nSolution status: Fixed by Vendor \nFixed version: 7.10.3-rev28, 7.10.4-rev14 \nVendor notification: 2020-10-12 \nSolution date: 2020-11-23 \nPublic disclosure: 2021-04-30 \nCVE reference: CVE-2020-28943 \nCVSS: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) \n \nVulnerability Details: \nSnippets are used to temporarily store content for internal handling, for example when using mail signatures or E-Mail attachments while moving them to Drive (\"managed files\"). The identifier of those snippets could be defined via an API call and are being used as reference when retrieving the file from any of the caches. When timing this retrieval correctly and waiting for cache eviction and garbage collection, those snippets could be used to reference arbitrary network resources instead of a snippet content while moving the snipped back from the distributed to the local cache. Path traversal techniques could be used to escape the predefined valid URI for those snippets. \n \nRisk: \nArbitrary network resources could be requested by a malicious user through the middleware, including those resources within a internal trust boundary where OX App Suite middleware operates. In case of web services, this could expose the response of the service to the user. Services that use authentication or do not respond to GET requests are not affected. \n \nSteps to reproduce: \n1. Create a snippet (e.g. image attachment) and use a malicious identifier \n2. Wait for a couple of minutes until the snippet expires from the local map \n3. Request the snippet to force it being requested from the distributed map and use the malicious reference \n \nSolution: \nWe now use URI encoding when retrieving distributed managed files to avoid the ability to request resources out of scope for the application. Independent from this, we suggest operators to use existing Security Manager configuration to restrict network access of the middleware process to a reasonable scope. \n \n \n \n--- \n \n \n \nAffected product: OX Guard \nInternal reference: GUARD-228 \nVulnerability type: Denial Of Service (CWE-400) \nVulnerable version: 2.10.4 and earlier \nVulnerable component: guard \nReport confidence: Confirmed \nSolution status: Fixed by Vendor \nFixed version: 2.10.3-rev8, 2.10.4-rev5 \nVendor notification: 2020-11-02 \nSolution date: 2020-11-23 \nPublic disclosure: 2021-04-30 \nCVE reference: CVE-2020-28944 \nCVSS: 3.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L) \n \nVulnerability Details: \nWKS is being used as an option to retrieve a users public key material for encrypted mail communication. In case an attacker would setup malicious WKS infrastrucutre, OX Guard can be tricked to keep connections open for a long period of time or process unusually large chunks of data. \n \nRisk: \nOX Guard nodes could be forced to exhaust system resources like network sockets, memory and connection pools. This would lead to temporary unavailability of the service. \n \nSteps to reproduce: \n1. Setup a malicious WKS service, that responds very slowly and/or with huge amounts of data \n2. Add one or more E-Mail recipient in OX App Suite which domain is handled by this malicious WKS service \n \nSolution: \nWe added timeouts for both size and total connection duration to avoid being stuck processing responses from malicious sources. \n`\n", "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"cve": [{"lastseen": "2022-03-23T17:17:33", "description": "OX App Suite 7.10.4 and earlier allows SSRF via a snippet.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-30T22:15:00", "type": "cve", "title": "CVE-2020-28943", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28943"], "modified": "2021-05-07T12:50:00", "cpe": ["cpe:/a:open-xchange:open-xchange_appsuite:7.10.4"], "id": "CVE-2020-28943", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28943", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.4:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T17:17:43", "description": "OX App Suite 7.10.4 and earlier allows XSS via crafted content to reach an undocumented feature, such as ![](http://onerror=Function.constructor, in a Notes item.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-05-03T20:15:00", "type": "cve", "title": "CVE-2020-28945", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28945"], "modified": "2021-05-07T12:50:00", "cpe": ["cpe:/a:open-xchange:open-xchange_appsuite:7.10.4"], "id": "CVE-2020-28945", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28945", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:open-xchange:open-xchange_appsuite:7.10.4:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T17:17:38", "description": "OX Guard 2.10.4 and earlier allows a Denial of Service via a WKS server that responds slowly or with a large amount of data.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-30T22:15:00", "type": "cve", "title": "CVE-2020-28944", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28944"], "modified": "2021-05-07T13:32:00", "cpe": ["cpe:/a:open-xchange:ox_guard:2.10.4"], "id": "CVE-2020-28944", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28944", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:open-xchange:ox_guard:2.10.4:*:*:*:*:*:*:*"]}]}