Design/Logic Flaw

2024-01-0809:15:00

PRIOn knowledge base

www.prio-n.com

flaw

user-defined templates

access control

authorization

object manipulation

java api

security control

exploits

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

19.6%

JSON

User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects related to other users and contexts. We now make sure that the switch to disable user-generated templates by default works as intended and will remove the feature in future generations of the product. No publicly available exploits are known.

CPENameOperatorVersion
ox_app_suiteeq7.10.6 rev1
ox_app_suiteeq7.10.6 rev2
ox_app_suiteeq7.10.6 rev3
ox_app_suiteeq7.10.6 rev4
ox_app_suiteeq7.10.6 rev5
ox_app_suiteeq7.10.6 rev6
ox_app_suiteeq7.10.6 rev7
ox_app_suiteeq7.10.6 rev8
ox_app_suiteeq7.10.6 rev9
ox_app_suiteeq7.10.6 rev10

Name	Operator	Version
ox_app_suite	eq	7.10.6 rev1
ox_app_suite	eq	7.10.6 rev2
ox_app_suite	eq	7.10.6 rev3
ox_app_suite	eq	7.10.6 rev4
ox_app_suite	eq	7.10.6 rev5
ox_app_suite	eq	7.10.6 rev6
ox_app_suite	eq	7.10.6 rev7
ox_app_suite	eq	7.10.6 rev8
ox_app_suite	eq	7.10.6 rev9
ox_app_suite	eq	7.10.6 rev10