OXAS-ADV-2025-0002: OX App Suite Security Advisory
OX App Suite发布安全公告,修复了两个漏洞:CWE-1021(HTML表单元素用于欺骗攻击)和CWE-400(API请求导致缓存污染)。已提供修复版本并建议更新以防止风险。 2025-11-7 13:45:0 Author: seclists.org(查看原文) 阅读量:26 收藏
OX App Suite发布安全公告,修复了两个漏洞:CWE-1021(HTML表单元素用于欺骗攻击)和CWE-400(API请求导致缓存污染)。已提供修复版本并建议更新以防止风险。 2025-11-7 13:45:0 Author: seclists.org(查看原文) 阅读量:26 收藏
Full Disclosure mailing list archives
From: Martin Heiland via Fulldisclosure <fulldisclosure () seclists org>
Date: Fri, 31 Oct 2025 11:10:38 +0100 (CET)
Dear subscribers, We're sharing our latest advisory with you and like to thank everyone who contributed in finding and solving those vulnerabilities. Feel free to join our bug bounty programs for OX App Suite, Dovecot and PowerDNS at YesWeHack. This advisory has also been published at https://documentation.open-xchange.com/appsuite/security/advisories/html/2025/oxas-adv-2025-0002.html. Yours sincerely, Martin Heiland, Open-Xchange GmbH Classification: TLP:GREEN Internal reference: appsuite/platform/core#336 Type: CWE-1021 (Improper Restriction of Rendered UI Layers or Frames) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.6.3-rev77, OX App Suite backend 8.35.111, OX App Suite backend 8.38.82, OX App Suite backend 8.39.79, OX App Suite backend 8.40.57 First fixed revision: OX App Suite backend 7.6.3-rev78, OX App Suite backend 8.35.112, OX App Suite backend 8.38.83, OX App Suite backend 8.39.80, OX App Suite backend 8.40.58 Discovery date: 2025-07-09 Solution date: 2025-07-10 CVE: CVE-2025-30191 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Details: HTML "form" elements can be used for spoofing and redressing. Malicious content from E-Mail can be used to perform a redressing attack. Risk: Users can be tricked to perform unintended actions or provide sensitive information to a third party which would enable further threats. No publicly available exploits are known Solution: Attribute values containing HTML fragments are now denied by the sanitization procedure. --- Internal reference: appsuite/support#763 Type: CWE-400 (Uncontrolled Resource Consumption) Component: ui middleware Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite ui middleware 2.1.7 First fixed revision: OX App Suite ui middleware 2.1.8 Discovery date: 2025-08-06 Solution date: 2025-08-12 CVE: CVE-2025-30188 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Details: Version information can be used to pollute caches and cause denial of service. Malicious or unintentional API requests can be used to add significant amount of data to caches. Risk: Caches may evict information that is required to operate the web frontend, which leads to unavailability of the component. No publicly available exploits are known Solution: Please deploy the provided updates and patch releases.
Attachment:
signature.asc
Description:
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- OXAS-ADV-2025-0002: OX App Suite Security Advisory Martin Heiland via Fulldisclosure (Nov 07)
文章来源: https://seclists.org/fulldisclosure/2025/Nov/12
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh