OX App Suite 7.10.5 Cross Site Scripting

2022.03.22
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-80
CWE-79

Product: OX App Suite Vendor: OX Software GmbH Internal reference: OXUIB-1092 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev26 Vendor notification: 2021-11-15 Solution date: 2021-12-14 Public disclosure: 2022-03-21 CVE reference: CVE-2021-44208 CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) Vulnerability Details: System messages at the OX Chat component are escaped to avoid injection of malicious code. However, this check is not performed for messages that are "unknown" to the system. Such messages do not occur during normal operations. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink or compromise of chat components. Steps to reproduce: 1. Maliciously modify the chat infrastructure to inject "unknown" messages that contain script code 2. Make the victim connect to that infrastructure and request messages for their account Solution: We now sanitize "unknown" system messages, in case this scenario may ever happen in the wild. --- Internal reference: MWB-1322 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev32 Vendor notification: 2021-11-12 Solution date: 2021-12-14 Public disclosure: 2022-03-21 CVE reference: CVE-2021-44209 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Specific HTML5 tags and some attributes were not sufficiently considered when detecting malicious code thats being served as download. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Upload a HTML5 document with specific tags, set a HTML file extension but a misleading media-type 2. Share the file and make a victim click a hyperlink to that resource Proof of concept: <audio src="/appsuite/apps/themes/default/sounds/bell.ogg" onprogress="alert('XSS');" onsuspend="alert('XSS');" controls></audio> Solution: We improved HTML detection and examine a complete list of tags, attributes and event handlers. --- Internal reference: MWB-1260 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev32 Vendor notification: 2021-09-27 Solution date: 2021-12-14 Public disclosure: 2022-03-21 CVE reference: CVE-2021-44210 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Certain media formats (NIFF) in this case, were not detected to contain potentially harmful content. This can be exploited by an attacker by uploading malicious content in disguise. Some browsers will attempt to render NIFF sources as inline content. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Generate malicious JS/HTML content and upload it as NIFF image, change the media-type accordingly 2. Share that malicious code using "sharing" 3. Make a victim follow a link to the malicious share Solution: We now detect NIFF as potentially malicious content and force browsers to download it. --- Internal reference: MWB-1259 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev32 Vendor notification: 2021-09-27 Solution date: 2021-12-14 Public disclosure: 2022-03-21 CVE reference: CVE-2021-44211 CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: HTML E-Mail signatures are processed by a sanitizer. This sanitizer can be tricked to generate malicious output by injecting seemingly benign garbled HTML code. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require some level of access to the victims account, context and pull off a social engineering attack. Steps to reproduce: 1. Create a malicious E-Mail signature 2. Share and make a victim select that E-Mail signature Proof of concept: <img src class="src=cid:asd onerror=alert('XSS')//"> Solution: We now check the HTML "class" attribute for potential malicious content for HTML E-Mail signatures. --- Internal reference: MWB-1219 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev32 Vendor notification: 2021-08-17 Solution date: 2021-12-14 Public disclosure: 2022-03-21 CVE reference: CVE-2021-44212 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: Script tags at HTML content can be obfuscated by using trailing control commands to bypass existing sanitizers. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Create malicious script code and obfuscate HTML tags using control characters 2. Share the malicious code and make a victim click a link that points to this code Proof of concept: <script\t>alert("XSS");</script\t> Solution: We now improve detection of obfuscated HTML tags. --- Internal reference: MWB-1216 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev32 Vendor notification: 2021-08-13 Solution date: 2021-12-14 Public disclosure: 2022-03-21 CVE reference: CVE-2021-44213 CVSS: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) Vulnerability Details: Binary uu-encoded content at multipart/alternative E-Mails is processed as mail body without sanitization in certain cases. Risk: Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this the victim needs to interact with the message. Steps to reproduce: 1. Generate a malicious mail with binary unix-to-unix content and a specific header structure, add placeholder content to trigger the "Show entire message" feature 2. Send that E-Mail to the victim 3. As the victim, select the message and follow the "Show entire content" link Proof of concept: ?/'-C<FEP=#YA;&5R="@B6%-3(BD[/"]S8W)I<'0^"@`` becomes <script>alert("XSS");</script> Solution: We now advertise uu-encoded E-Mail parts as file attachment rather than the mail body.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top