cvelistv5 - CVE-2022-43696

CVE-2022-43696

Vulnerability from cvelistv5

Published

2023-04-15 00:00

Modified

2025-02-06 16:01

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.

References

URL	Tags
cve@mitre.org	https://open-xchange.com	Product
cve@mitre.org	https://seclists.org/fulldisclosure/2023/Feb/3	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://open-xchange.com	Product
af854a3a-2127-422b-91ae-364da2661108	https://seclists.org/fulldisclosure/2023/Feb/3	Mailing List, Third Party Advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T13:40:06.467Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://open-xchange.com"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://seclists.org/fulldisclosure/2023/Feb/3"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-43696",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-06T15:59:45.868932Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-06T16:01:32.585Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OX App Suite before 7.10.6-rev20 allows XSS via upsell ads."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-15T00:00:00.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://open-xchange.com"
        },
        {
          "url": "https://seclists.org/fulldisclosure/2023/Feb/3"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-43696",
    "datePublished": "2023-04-15T00:00:00.000Z",
    "dateReserved": "2022-10-24T00:00:00.000Z",
    "dateUpdated": "2025-02-06T16:01:32.585Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-43696\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2023-04-15T02:15:07.097\",\"lastModified\":\"2025-02-06T16:15:30.750\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.10.6\",\"matchCriteriaId\":\"5BBF1862-B6FF-4F32-A3C1-59D28BA25F81\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"3A4EAD2E-C3C3-4C79-8C42-375FFE638486\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev01:*:*:*:*:*:*\",\"matchCriteriaId\":\"39198733-D227-4935-9A60-1026040D262F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev02:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C86EE81-8CD4-4131-969A-BDA24B9B48E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev03:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9E9C869-7DA9-4EFA-B613-82BA127F6CE5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev04:*:*:*:*:*:*\",\"matchCriteriaId\":\"F8FAA329-5893-412B-8349-4DA3023CC76E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev05:*:*:*:*:*:*\",\"matchCriteriaId\":\"BB6A57A4-B18D-498D-9A8C-406797A6255C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev06:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F0977F0-90B4-48B4-BED6-C218B5CA5E03\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev07:*:*:*:*:*:*\",\"matchCriteriaId\":\"4D55DE67-8F93-48F3-BE54-D3A065479281\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev08:*:*:*:*:*:*\",\"matchCriteriaId\":\"D27980B4-B71B-4DA8-B130-F0B5929F8E65\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev09:*:*:*:*:*:*\",\"matchCriteriaId\":\"DD1709BC-7DEB-4508-B3C3-B20F5FD001A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev10:*:*:*:*:*:*\",\"matchCriteriaId\":\"08A6BDD5-259E-4DC3-A548-00CD0D459749\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev11:*:*:*:*:*:*\",\"matchCriteriaId\":\"B8166FF4-77D8-4A12-92E5-615B3DA2E602\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev12:*:*:*:*:*:*\",\"matchCriteriaId\":\"999F057B-7918-461A-B60C-3BE72E92CDC9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev13:*:*:*:*:*:*\",\"matchCriteriaId\":\"88FD1550-3715-493E-B674-9ECF3DD7A813\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev14:*:*:*:*:*:*\",\"matchCriteriaId\":\"F31A4949-397F-4D1B-8AEA-AC7B335722F8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev15:*:*:*:*:*:*\",\"matchCriteriaId\":\"D33A91D4-CE21-486D-9469-B09060B8C637\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev16:*:*:*:*:*:*\",\"matchCriteriaId\":\"5E3E5CD2-7631-4DBE-AB4D-669E82BCCAD4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev17:*:*:*:*:*:*\",\"matchCriteriaId\":\"2BEE0AF0-3D22-4DE7-9E71-A4469D9CA2EB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev18:*:*:*:*:*:*\",\"matchCriteriaId\":\"AAFB199C-1D66-442D-AD7E-414DD339E1D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev19:*:*:*:*:*:*\",\"matchCriteriaId\":\"26322561-2491-4DC7-B974-0B92B61A5BDA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev20:*:*:*:*:*:*\",\"matchCriteriaId\":\"A6BA6C2B-F2D5-4FF7-B316-C8E99C2B464B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev21:*:*:*:*:*:*\",\"matchCriteriaId\":\"733E4A65-821B-4187-AA3A-1ACD3E882C07\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev22:*:*:*:*:*:*\",\"matchCriteriaId\":\"6B0A0043-33E8-4440-92AC-DDD70EA39535\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev23:*:*:*:*:*:*\",\"matchCriteriaId\":\"303205CC-8BDE-47EE-A675-9BA19983139A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev24:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C088014-47D6-4632-9FB5-2C7B1085B762\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev25:*:*:*:*:*:*\",\"matchCriteriaId\":\"42CF6057-EB40-4208-9F1E-83213E97987C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev26:*:*:*:*:*:*\",\"matchCriteriaId\":\"966BC23E-B8CE-4F98-B3A6-4B620E8808BE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev27:*:*:*:*:*:*\",\"matchCriteriaId\":\"7409CE19-ACC1-4AF4-8C8A-AE2CDBB63D3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev28:*:*:*:*:*:*\",\"matchCriteriaId\":\"17D71CDE-3111-459B-8520-F62E0D5D2972\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev29:*:*:*:*:*:*\",\"matchCriteriaId\":\"6D808ED6-F819-4014-BD24-4537D52DDFB0\"}]}]}],\"references\":[{\"url\":\"https://open-xchange.com\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"https://seclists.org/fulldisclosure/2023/Feb/3\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://open-xchange.com\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://seclists.org/fulldisclosure/2023/Feb/3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://open-xchange.com\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://seclists.org/fulldisclosure/2023/Feb/3\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T13:40:06.467Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-43696\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-06T15:59:45.868932Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-06T16:00:15.637Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://open-xchange.com\"}, {\"url\": \"https://seclists.org/fulldisclosure/2023/Feb/3\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2023-04-15T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-43696\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-06T16:01:32.585Z\", \"dateReserved\": \"2022-10-24T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2023-04-15T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-p97x-fwwh-9fgq

Vulnerability from github

Published

2023-04-15 03:30

Modified

2024-04-04 03:28

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-43696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-15T02:15:00Z",
    "severity": "MODERATE"
  },
  "details": "OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.",
  "id": "GHSA-p97x-fwwh-9fgq",
  "modified": "2024-04-04T03:28:57Z",
  "published": "2023-04-15T03:30:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43696"
    },
    {
      "type": "WEB",
      "url": "https://open-xchange.com"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2023/Feb/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

OXAS-ADV-2022-0002

Vulnerability from csaf_ox

Published

2022-11-02 00:00

Modified

2024-01-22 00:00

Summary

OX App Suite Security Advisory OXAS-ADV-2022-0002

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "CRITICAL"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "lang": "en-US",
    "publisher": {
      "category": "vendor",
      "name": "Open-Xchange GmbH",
      "namespace": "https://open-xchange.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Release Notes",
        "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6188_7.10.5_2022-11-02.pdf"
      },
      {
        "category": "external",
        "summary": "Release Notes",
        "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6189_7.10.6_2022-11-02.pdf"
      },
      {
        "category": "self",
        "summary": "Canonical CSAF document",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2022/oxas-adv-2022-0002.json"
      },
      {
        "category": "self",
        "summary": "Markdown representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/md/2022/oxas-adv-2022-0002.md"
      },
      {
        "category": "self",
        "summary": "HTML representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/html/2022/oxas-adv-2022-0002.html"
      },
      {
        "category": "self",
        "summary": "Plain-text representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/txt/2022/oxas-adv-2022-0002.txt"
      }
    ],
    "title": "OX App Suite Security Advisory OXAS-ADV-2022-0002",
    "tracking": {
      "current_release_date": "2024-01-22T00:00:00+00:00",
      "generator": {
        "date": "2024-01-22T13:14:08+00:00",
        "engine": {
          "name": "OX CSAF",
          "version": "1.0.0"
        }
      },
      "id": "OXAS-ADV-2022-0002",
      "initial_release_date": "2022-11-02T00:00:00+01:00",
      "revision_history": [
        {
          "date": "2022-11-02T00:00:00+01:00",
          "number": "1",
          "summary": "Initial release"
        },
        {
          "date": "2024-01-22T00:00:00+00:00",
          "number": "2",
          "summary": "Public release"
        },
        {
          "date": "2024-01-22T00:00:00+00:00",
          "number": "3",
          "summary": "Public release"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.10.5-rev50",
                "product": {
                  "name": "OX App Suite frontend 7.10.5-rev50",
                  "product_id": "OXAS-FRONTEND_7.10.5-rev50",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.5:rev50:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev19",
                "product": {
                  "name": "OX App Suite frontend 7.10.6-rev19",
                  "product_id": "OXAS-FRONTEND_7.10.6-rev19",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev19:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.4",
                "product": {
                  "name": "OX App Suite frontend 8.4",
                  "product_id": "OXAS-FRONTEND_8.4",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.4:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.5-rev51",
                "product": {
                  "name": "OX App Suite frontend 7.10.5-rev51",
                  "product_id": "OXAS-FRONTEND_7.10.5-rev51",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.5:rev51:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6188"
                      },
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6189"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev20",
                "product": {
                  "name": "OX App Suite frontend 7.10.6-rev20",
                  "product_id": "OXAS-FRONTEND_7.10.6-rev20",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev20:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6188"
                      },
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6189"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.5",
                "product": {
                  "name": "OX App Suite frontend 8.5",
                  "product_id": "OXAS-FRONTEND_8.5",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.5:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.6.3-rev50",
                "product": {
                  "name": "OX App Suite frontend 7.6.3-rev50",
                  "product_id": "OXAS-FRONTEND_7.6.3-rev50",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev50:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.6.3-rev51",
                "product": {
                  "name": "OX App Suite frontend 7.6.3-rev51",
                  "product_id": "OXAS-FRONTEND_7.6.3-rev51",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev51:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6188"
                      },
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6189"
                      }
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OX App Suite frontend"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.10.5-rev50",
                "product": {
                  "name": "OX App Suite backend 7.10.5-rev50",
                  "product_id": "OXAS-BACKEND_7.10.5-rev50",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.5:rev50:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev29",
                "product": {
                  "name": "OX App Suite backend 7.10.6-rev29",
                  "product_id": "OXAS-BACKEND_7.10.6-rev29",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev29:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.4",
                "product": {
                  "name": "OX App Suite backend 8.4",
                  "product_id": "OXAS-BACKEND_8.4",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.4:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.5-rev51",
                "product": {
                  "name": "OX App Suite backend 7.10.5-rev51",
                  "product_id": "OXAS-BACKEND_7.10.5-rev51",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.5:rev51:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6188"
                      },
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6189"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev30",
                "product": {
                  "name": "OX App Suite backend 7.10.6-rev30",
                  "product_id": "OXAS-BACKEND_7.10.6-rev30",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev30:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6188"
                      },
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6189"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.5",
                "product": {
                  "name": "OX App Suite backend 8.5",
                  "product_id": "OXAS-BACKEND_8.5",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.5:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.6.3-rev65",
                "product": {
                  "name": "OX App Suite backend 7.6.3-rev65",
                  "product_id": "OXAS-BACKEND_7.6.3-rev65",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev65:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.6.3-rev66",
                "product": {
                  "name": "OX App Suite backend 7.6.3-rev66",
                  "product_id": "OXAS-BACKEND_7.6.3-rev66",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev66:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6188"
                      },
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6189"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.6",
                "product": {
                  "name": "OX App Suite backend 8.6",
                  "product_id": "OXAS-BACKEND_8.6",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.6:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.7",
                "product": {
                  "name": "OX App Suite backend 8.7",
                  "product_id": "OXAS-BACKEND_8.7",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.7:*:*:*:*:*:*:*"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OX App Suite backend"
          }
        ],
        "category": "vendor",
        "name": "Open-Xchange GmbH"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-37306",
      "cwe": {
        "id": "CWE-80",
        "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
      },
      "discovery_date": "2022-07-29T10:34:17+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "OXUIB-1795"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Non-alphanumeric content can be injected by the user as JS content for the \"upsell\" module. As a result, the code will be executed during subsequent logins and opening the \"Portal\" application, enabling a persistent cross-site scripting attack vector."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-FRONTEND_7.10.5-rev51",
          "OXAS-FRONTEND_7.10.6-rev20",
          "OXAS-FRONTEND_8.5"
        ],
        "last_affected": [
          "OXAS-FRONTEND_7.10.5-rev50",
          "OXAS-FRONTEND_7.10.6-rev19",
          "OXAS-FRONTEND_8.4"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-21T16:16:36+02:00",
          "details": "Please deploy the provided updates and patch releases. We improved the allow-list sanitizing algorithm to deal with non-alphanumeric code.",
          "product_ids": [
            "OXAS-FRONTEND_7.10.5-rev50",
            "OXAS-FRONTEND_7.10.6-rev19",
            "OXAS-FRONTEND_8.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-FRONTEND_7.10.5-rev50",
            "OXAS-FRONTEND_7.10.6-rev19",
            "OXAS-FRONTEND_8.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "XSS using \"upsell\" triggers"
    },
    {
      "cve": "CVE-2022-43696",
      "cwe": {
        "id": "CWE-80",
        "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
      },
      "discovery_date": "2022-09-26T10:30:45+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "OXUIB-1933"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "HTML content can be injected by the user as JS content for the \"upsell ads\" module. As a result, the code will be executed during subsequent logins and opening the \"Portal\" application, enabling a persistent cross-site scripting attack vector."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-FRONTEND_7.10.5-rev51",
          "OXAS-FRONTEND_7.10.6-rev20",
          "OXAS-FRONTEND_7.6.3-rev51"
        ],
        "last_affected": [
          "OXAS-FRONTEND_7.10.5-rev50",
          "OXAS-FRONTEND_7.10.6-rev19",
          "OXAS-FRONTEND_7.6.3-rev50"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-21T16:07:30+02:00",
          "details": "Please deploy the provided updates and patch releases. We improved the sanitization process for upsell ads.",
          "product_ids": [
            "OXAS-FRONTEND_7.10.5-rev50",
            "OXAS-FRONTEND_7.10.6-rev19",
            "OXAS-FRONTEND_7.6.3-rev50"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-FRONTEND_7.10.5-rev50",
            "OXAS-FRONTEND_7.10.6-rev19",
            "OXAS-FRONTEND_7.6.3-rev50"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "XSS using \"upsell ads\""
    },
    {
      "cve": "CVE-2022-43697",
      "cwe": {
        "id": "CWE-80",
        "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
      },
      "discovery_date": "2022-08-16T09:40:05+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-1784"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In case activity tracking adapters are enabled but not defined, users can use jslob to define own tracking settings for an account. This allows adding arbitrary values to trigger a specific URL or load a library."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.5-rev51",
          "OXAS-BACKEND_7.10.6-rev30",
          "OXAS-BACKEND_8.5"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.5-rev50",
          "OXAS-BACKEND_7.10.6-rev29",
          "OXAS-BACKEND_8.4"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-25T17:06:19+02:00",
          "details": "Please deploy the provided updates and patch releases. We made the related jslob configuration endpoint read-only for users.",
          "product_ids": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_8.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_8.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "\"Tracking\" features can be used to inject arbitrary script code"
    },
    {
      "cve": "CVE-2022-43698",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "discovery_date": "2022-09-14T13:16:50+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-1823"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "When changing a valid external POP3 mail account as a user, the operation to update the accounts settings did not consider deny-list values."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.5-rev51",
          "OXAS-BACKEND_7.10.6-rev30",
          "OXAS-BACKEND_8.5"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.5-rev50",
          "OXAS-BACKEND_7.10.6-rev29",
          "OXAS-BACKEND_8.4"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-24T16:10:01+02:00",
          "details": "Please deploy the provided updates and patch releases. We now check compliance with existing deny-list content when updating POP3 mail accounts.",
          "product_ids": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_8.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_8.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine \"internal\" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "SSRF using POP3 account updates"
    },
    {
      "cve": "CVE-2022-43699",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "discovery_date": "2022-10-06T13:09:35+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-1862"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The external E-Mail autodiscovery feature performs connections checks based on the E-Mail addresses host-part. Those do not take existing deny-lists into respect, allowing attackers with access to DNS records of a domain to redirect requests to illegal addresses."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.5-rev51",
          "OXAS-BACKEND_7.10.6-rev30",
          "OXAS-BACKEND_7.6.3-rev66",
          "OXAS-BACKEND_8.6"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.5-rev50",
          "OXAS-BACKEND_7.10.6-rev29",
          "OXAS-BACKEND_7.6.3-rev65",
          "OXAS-BACKEND_8.5"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-11-07T16:24:39+01:00",
          "details": "Please deploy the provided updates and patch releases. We check for compliance with existing deny-list content when performing mail account autodiscovery.",
          "product_ids": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_7.6.3-rev65",
            "OXAS-BACKEND_8.5"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_7.6.3-rev65",
            "OXAS-BACKEND_8.5"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine \"internal\" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Mail account discovery can be abused for SSRF"
    },
    {
      "cve": "CVE-2022-42889",
      "cwe": {
        "id": "CWE-94",
        "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
      },
      "discovery_date": "2022-10-19T13:46:58+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-1882"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A critical vulnerability at the Apache Commons Text library has been identified, which is used by OX App Suite and OX Documents. However, our products do not directly use the vulnerable StringSubstitutor class. Based on current knowledge that means our products are not vulnerable."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.5-rev51",
          "OXAS-BACKEND_7.10.6-rev30",
          "OXAS-BACKEND_8.7"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.5-rev50",
          "OXAS-BACKEND_7.10.6-rev29",
          "OXAS-BACKEND_8.6"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-21T10:32:30+02:00",
          "details": "Please deploy the provided updates and patch releases. We provided a update for this library to resolve the risk as a precaution, in case custom implementations use the vulnerable class.",
          "product_ids": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_8.6"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_8.6"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Remote Code Execution, see CVE-2022-42889."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Apache Commons Text (CVE-2022-42889)"
    }
  ]
}

oxas-adv-2022-0002

Vulnerability from csaf_ox

Published

2022-11-02 00:00

Modified

2024-01-22 00:00

Summary

OX App Suite Security Advisory OXAS-ADV-2022-0002

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "CRITICAL"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "lang": "en-US",
    "publisher": {
      "category": "vendor",
      "name": "Open-Xchange GmbH",
      "namespace": "https://open-xchange.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Release Notes",
        "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6188_7.10.5_2022-11-02.pdf"
      },
      {
        "category": "external",
        "summary": "Release Notes",
        "url": "https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6189_7.10.6_2022-11-02.pdf"
      },
      {
        "category": "self",
        "summary": "Canonical CSAF document",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2022/oxas-adv-2022-0002.json"
      },
      {
        "category": "self",
        "summary": "Markdown representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/md/2022/oxas-adv-2022-0002.md"
      },
      {
        "category": "self",
        "summary": "HTML representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/html/2022/oxas-adv-2022-0002.html"
      },
      {
        "category": "self",
        "summary": "Plain-text representation",
        "url": "https://documentation.open-xchange.com/appsuite/security/advisories/txt/2022/oxas-adv-2022-0002.txt"
      }
    ],
    "title": "OX App Suite Security Advisory OXAS-ADV-2022-0002",
    "tracking": {
      "current_release_date": "2024-01-22T00:00:00+00:00",
      "generator": {
        "date": "2024-01-22T13:14:08+00:00",
        "engine": {
          "name": "OX CSAF",
          "version": "1.0.0"
        }
      },
      "id": "OXAS-ADV-2022-0002",
      "initial_release_date": "2022-11-02T00:00:00+01:00",
      "revision_history": [
        {
          "date": "2022-11-02T00:00:00+01:00",
          "number": "1",
          "summary": "Initial release"
        },
        {
          "date": "2024-01-22T00:00:00+00:00",
          "number": "2",
          "summary": "Public release"
        },
        {
          "date": "2024-01-22T00:00:00+00:00",
          "number": "3",
          "summary": "Public release"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.10.5-rev50",
                "product": {
                  "name": "OX App Suite frontend 7.10.5-rev50",
                  "product_id": "OXAS-FRONTEND_7.10.5-rev50",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.5:rev50:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev19",
                "product": {
                  "name": "OX App Suite frontend 7.10.6-rev19",
                  "product_id": "OXAS-FRONTEND_7.10.6-rev19",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev19:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.4",
                "product": {
                  "name": "OX App Suite frontend 8.4",
                  "product_id": "OXAS-FRONTEND_8.4",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.4:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.5-rev51",
                "product": {
                  "name": "OX App Suite frontend 7.10.5-rev51",
                  "product_id": "OXAS-FRONTEND_7.10.5-rev51",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.5:rev51:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6188"
                      },
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6189"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev20",
                "product": {
                  "name": "OX App Suite frontend 7.10.6-rev20",
                  "product_id": "OXAS-FRONTEND_7.10.6-rev20",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev20:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6188"
                      },
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6189"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.5",
                "product": {
                  "name": "OX App Suite frontend 8.5",
                  "product_id": "OXAS-FRONTEND_8.5",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.5:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.6.3-rev50",
                "product": {
                  "name": "OX App Suite frontend 7.6.3-rev50",
                  "product_id": "OXAS-FRONTEND_7.6.3-rev50",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev50:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.6.3-rev51",
                "product": {
                  "name": "OX App Suite frontend 7.6.3-rev51",
                  "product_id": "OXAS-FRONTEND_7.6.3-rev51",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev51:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6188"
                      },
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6189"
                      }
                    ]
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OX App Suite frontend"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.10.5-rev50",
                "product": {
                  "name": "OX App Suite backend 7.10.5-rev50",
                  "product_id": "OXAS-BACKEND_7.10.5-rev50",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.5:rev50:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev29",
                "product": {
                  "name": "OX App Suite backend 7.10.6-rev29",
                  "product_id": "OXAS-BACKEND_7.10.6-rev29",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev29:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.4",
                "product": {
                  "name": "OX App Suite backend 8.4",
                  "product_id": "OXAS-BACKEND_8.4",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.4:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.5-rev51",
                "product": {
                  "name": "OX App Suite backend 7.10.5-rev51",
                  "product_id": "OXAS-BACKEND_7.10.5-rev51",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.5:rev51:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6188"
                      },
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6189"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.10.6-rev30",
                "product": {
                  "name": "OX App Suite backend 7.10.6-rev30",
                  "product_id": "OXAS-BACKEND_7.10.6-rev30",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.10.6:rev30:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6188"
                      },
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6189"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.5",
                "product": {
                  "name": "OX App Suite backend 8.5",
                  "product_id": "OXAS-BACKEND_8.5",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.5:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.6.3-rev65",
                "product": {
                  "name": "OX App Suite backend 7.6.3-rev65",
                  "product_id": "OXAS-BACKEND_7.6.3-rev65",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev65:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "7.6.3-rev66",
                "product": {
                  "name": "OX App Suite backend 7.6.3-rev66",
                  "product_id": "OXAS-BACKEND_7.6.3-rev66",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:7.6.3:rev66:*:*:*:*:*:*",
                    "x_generic_uris": [
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6188"
                      },
                      {
                        "namespace": "https://documentation.open-xchange.com/appsuite/security/advisories/#urn-parsing",
                        "uri": "urn:open-xchange:app_suite:patch-id:6189"
                      }
                    ]
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.6",
                "product": {
                  "name": "OX App Suite backend 8.6",
                  "product_id": "OXAS-BACKEND_8.6",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.6:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.7",
                "product": {
                  "name": "OX App Suite backend 8.7",
                  "product_id": "OXAS-BACKEND_8.7",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:a:open-xchange:app_suite:8.7:*:*:*:*:*:*:*"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OX App Suite backend"
          }
        ],
        "category": "vendor",
        "name": "Open-Xchange GmbH"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-37306",
      "cwe": {
        "id": "CWE-80",
        "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
      },
      "discovery_date": "2022-07-29T10:34:17+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "OXUIB-1795"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Non-alphanumeric content can be injected by the user as JS content for the \"upsell\" module. As a result, the code will be executed during subsequent logins and opening the \"Portal\" application, enabling a persistent cross-site scripting attack vector."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-FRONTEND_7.10.5-rev51",
          "OXAS-FRONTEND_7.10.6-rev20",
          "OXAS-FRONTEND_8.5"
        ],
        "last_affected": [
          "OXAS-FRONTEND_7.10.5-rev50",
          "OXAS-FRONTEND_7.10.6-rev19",
          "OXAS-FRONTEND_8.4"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-21T16:16:36+02:00",
          "details": "Please deploy the provided updates and patch releases. We improved the allow-list sanitizing algorithm to deal with non-alphanumeric code.",
          "product_ids": [
            "OXAS-FRONTEND_7.10.5-rev50",
            "OXAS-FRONTEND_7.10.6-rev19",
            "OXAS-FRONTEND_8.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-FRONTEND_7.10.5-rev50",
            "OXAS-FRONTEND_7.10.6-rev19",
            "OXAS-FRONTEND_8.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "XSS using \"upsell\" triggers"
    },
    {
      "cve": "CVE-2022-43696",
      "cwe": {
        "id": "CWE-80",
        "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
      },
      "discovery_date": "2022-09-26T10:30:45+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "OXUIB-1933"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "HTML content can be injected by the user as JS content for the \"upsell ads\" module. As a result, the code will be executed during subsequent logins and opening the \"Portal\" application, enabling a persistent cross-site scripting attack vector."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-FRONTEND_7.10.5-rev51",
          "OXAS-FRONTEND_7.10.6-rev20",
          "OXAS-FRONTEND_7.6.3-rev51"
        ],
        "last_affected": [
          "OXAS-FRONTEND_7.10.5-rev50",
          "OXAS-FRONTEND_7.10.6-rev19",
          "OXAS-FRONTEND_7.6.3-rev50"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-21T16:07:30+02:00",
          "details": "Please deploy the provided updates and patch releases. We improved the sanitization process for upsell ads.",
          "product_ids": [
            "OXAS-FRONTEND_7.10.5-rev50",
            "OXAS-FRONTEND_7.10.6-rev19",
            "OXAS-FRONTEND_7.6.3-rev50"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-FRONTEND_7.10.5-rev50",
            "OXAS-FRONTEND_7.10.6-rev19",
            "OXAS-FRONTEND_7.6.3-rev50"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "XSS using \"upsell ads\""
    },
    {
      "cve": "CVE-2022-43697",
      "cwe": {
        "id": "CWE-80",
        "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
      },
      "discovery_date": "2022-08-16T09:40:05+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-1784"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In case activity tracking adapters are enabled but not defined, users can use jslob to define own tracking settings for an account. This allows adding arbitrary values to trigger a specific URL or load a library."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.5-rev51",
          "OXAS-BACKEND_7.10.6-rev30",
          "OXAS-BACKEND_8.5"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.5-rev50",
          "OXAS-BACKEND_7.10.6-rev29",
          "OXAS-BACKEND_8.4"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-25T17:06:19+02:00",
          "details": "Please deploy the provided updates and patch releases. We made the related jslob configuration endpoint read-only for users.",
          "product_ids": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_8.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_8.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require temporary access to the users account or lure a user to a compromised account."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "\"Tracking\" features can be used to inject arbitrary script code"
    },
    {
      "cve": "CVE-2022-43698",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "discovery_date": "2022-09-14T13:16:50+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-1823"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "When changing a valid external POP3 mail account as a user, the operation to update the accounts settings did not consider deny-list values."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.5-rev51",
          "OXAS-BACKEND_7.10.6-rev30",
          "OXAS-BACKEND_8.5"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.5-rev50",
          "OXAS-BACKEND_7.10.6-rev29",
          "OXAS-BACKEND_8.4"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-24T16:10:01+02:00",
          "details": "Please deploy the provided updates and patch releases. We now check compliance with existing deny-list content when updating POP3 mail accounts.",
          "product_ids": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_8.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_8.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine \"internal\" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "SSRF using POP3 account updates"
    },
    {
      "cve": "CVE-2022-43699",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "discovery_date": "2022-10-06T13:09:35+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-1862"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The external E-Mail autodiscovery feature performs connections checks based on the E-Mail addresses host-part. Those do not take existing deny-lists into respect, allowing attackers with access to DNS records of a domain to redirect requests to illegal addresses."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.5-rev51",
          "OXAS-BACKEND_7.10.6-rev30",
          "OXAS-BACKEND_7.6.3-rev66",
          "OXAS-BACKEND_8.6"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.5-rev50",
          "OXAS-BACKEND_7.10.6-rev29",
          "OXAS-BACKEND_7.6.3-rev65",
          "OXAS-BACKEND_8.5"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-11-07T16:24:39+01:00",
          "details": "Please deploy the provided updates and patch releases. We check for compliance with existing deny-list content when performing mail account autodiscovery.",
          "product_ids": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_7.6.3-rev65",
            "OXAS-BACKEND_8.5"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_7.6.3-rev65",
            "OXAS-BACKEND_8.5"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Server-initiated requests can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine \"internal\" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Mail account discovery can be abused for SSRF"
    },
    {
      "cve": "CVE-2022-42889",
      "cwe": {
        "id": "CWE-94",
        "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
      },
      "discovery_date": "2022-10-19T13:46:58+02:00",
      "ids": [
        {
          "system_name": "OX Bug",
          "text": "MWB-1882"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A critical vulnerability at the Apache Commons Text library has been identified, which is used by OX App Suite and OX Documents. However, our products do not directly use the vulnerable StringSubstitutor class. Based on current knowledge that means our products are not vulnerable."
        }
      ],
      "product_status": {
        "first_fixed": [
          "OXAS-BACKEND_7.10.5-rev51",
          "OXAS-BACKEND_7.10.6-rev30",
          "OXAS-BACKEND_8.7"
        ],
        "last_affected": [
          "OXAS-BACKEND_7.10.5-rev50",
          "OXAS-BACKEND_7.10.6-rev29",
          "OXAS-BACKEND_8.6"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-10-21T10:32:30+02:00",
          "details": "Please deploy the provided updates and patch releases. We provided a update for this library to resolve the risk as a precaution, in case custom implementations use the vulnerable class.",
          "product_ids": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_8.6"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "OXAS-BACKEND_7.10.5-rev50",
            "OXAS-BACKEND_7.10.6-rev29",
            "OXAS-BACKEND_8.6"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Remote Code Execution, see CVE-2022-42889."
        },
        {
          "category": "exploit_status",
          "details": "No publicly available exploits are known."
        }
      ],
      "title": "Apache Commons Text (CVE-2022-42889)"
    }
  ]
}

gsd-2022-43696

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.

Aliases

CVE-2022-43696

Aliases

CVE-2022-43696

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-43696",
    "id": "GSD-2022-43696"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-43696"
      ],
      "details": "OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.",
      "id": "GSD-2022-43696",
      "modified": "2023-12-13T01:19:31.713190Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2022-43696",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "OX App Suite before 7.10.6-rev20 allows XSS via upsell ads."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://open-xchange.com",
            "refsource": "MISC",
            "url": "https://open-xchange.com"
          },
          {
            "name": "https://seclists.org/fulldisclosure/2023/Feb/3",
            "refsource": "MISC",
            "url": "https://seclists.org/fulldisclosure/2023/Feb/3"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev01:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev02:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev03:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev04:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev05:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev06:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev07:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev08:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev09:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev10:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev11:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev12:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev13:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev14:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev15:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev16:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev17:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev18:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev19:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev20:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev21:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev22:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev23:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev24:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev25:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev26:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev27:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev28:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev29:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.10.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-43696"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "OX App Suite before 7.10.6-rev20 allows XSS via upsell ads."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://seclists.org/fulldisclosure/2023/Feb/3",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://seclists.org/fulldisclosure/2023/Feb/3"
            },
            {
              "name": "https://open-xchange.com",
              "refsource": "MISC",
              "tags": [
                "Product"
              ],
              "url": "https://open-xchange.com"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2023-05-15T19:26Z",
      "publishedDate": "2023-04-15T02:15Z"
    }
  }
}

fkie_cve-2022-43696

Vulnerability from fkie_nvd

Published

2023-04-15 02:15

Modified

2025-02-06 16:15

Severity ?

6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.

References

URL	Tags
cve@mitre.org	https://open-xchange.com	Product
cve@mitre.org	https://seclists.org/fulldisclosure/2023/Feb/3	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://open-xchange.com	Product
af854a3a-2127-422b-91ae-364da2661108	https://seclists.org/fulldisclosure/2023/Feb/3	Mailing List, Third Party Advisory

Impacted products

Vendor	Product	Version
open-xchange	ox_app_suite	*
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6
open-xchange	ox_app_suite	7.10.6

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5BBF1862-B6FF-4F32-A3C1-59D28BA25F81",
              "versionEndExcluding": "7.10.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:-:*:*:*:*:*:*",
              "matchCriteriaId": "3A4EAD2E-C3C3-4C79-8C42-375FFE638486",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev01:*:*:*:*:*:*",
              "matchCriteriaId": "39198733-D227-4935-9A60-1026040D262F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev02:*:*:*:*:*:*",
              "matchCriteriaId": "3C86EE81-8CD4-4131-969A-BDA24B9B48E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev03:*:*:*:*:*:*",
              "matchCriteriaId": "F9E9C869-7DA9-4EFA-B613-82BA127F6CE5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev04:*:*:*:*:*:*",
              "matchCriteriaId": "F8FAA329-5893-412B-8349-4DA3023CC76E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev05:*:*:*:*:*:*",
              "matchCriteriaId": "BB6A57A4-B18D-498D-9A8C-406797A6255C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev06:*:*:*:*:*:*",
              "matchCriteriaId": "7F0977F0-90B4-48B4-BED6-C218B5CA5E03",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev07:*:*:*:*:*:*",
              "matchCriteriaId": "4D55DE67-8F93-48F3-BE54-D3A065479281",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev08:*:*:*:*:*:*",
              "matchCriteriaId": "D27980B4-B71B-4DA8-B130-F0B5929F8E65",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev09:*:*:*:*:*:*",
              "matchCriteriaId": "DD1709BC-7DEB-4508-B3C3-B20F5FD001A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev10:*:*:*:*:*:*",
              "matchCriteriaId": "08A6BDD5-259E-4DC3-A548-00CD0D459749",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev11:*:*:*:*:*:*",
              "matchCriteriaId": "B8166FF4-77D8-4A12-92E5-615B3DA2E602",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev12:*:*:*:*:*:*",
              "matchCriteriaId": "999F057B-7918-461A-B60C-3BE72E92CDC9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev13:*:*:*:*:*:*",
              "matchCriteriaId": "88FD1550-3715-493E-B674-9ECF3DD7A813",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev14:*:*:*:*:*:*",
              "matchCriteriaId": "F31A4949-397F-4D1B-8AEA-AC7B335722F8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev15:*:*:*:*:*:*",
              "matchCriteriaId": "D33A91D4-CE21-486D-9469-B09060B8C637",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev16:*:*:*:*:*:*",
              "matchCriteriaId": "5E3E5CD2-7631-4DBE-AB4D-669E82BCCAD4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev17:*:*:*:*:*:*",
              "matchCriteriaId": "2BEE0AF0-3D22-4DE7-9E71-A4469D9CA2EB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev18:*:*:*:*:*:*",
              "matchCriteriaId": "AAFB199C-1D66-442D-AD7E-414DD339E1D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev19:*:*:*:*:*:*",
              "matchCriteriaId": "26322561-2491-4DC7-B974-0B92B61A5BDA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev20:*:*:*:*:*:*",
              "matchCriteriaId": "A6BA6C2B-F2D5-4FF7-B316-C8E99C2B464B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev21:*:*:*:*:*:*",
              "matchCriteriaId": "733E4A65-821B-4187-AA3A-1ACD3E882C07",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev22:*:*:*:*:*:*",
              "matchCriteriaId": "6B0A0043-33E8-4440-92AC-DDD70EA39535",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev23:*:*:*:*:*:*",
              "matchCriteriaId": "303205CC-8BDE-47EE-A675-9BA19983139A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev24:*:*:*:*:*:*",
              "matchCriteriaId": "8C088014-47D6-4632-9FB5-2C7B1085B762",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev25:*:*:*:*:*:*",
              "matchCriteriaId": "42CF6057-EB40-4208-9F1E-83213E97987C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev26:*:*:*:*:*:*",
              "matchCriteriaId": "966BC23E-B8CE-4F98-B3A6-4B620E8808BE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev27:*:*:*:*:*:*",
              "matchCriteriaId": "7409CE19-ACC1-4AF4-8C8A-AE2CDBB63D3D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev28:*:*:*:*:*:*",
              "matchCriteriaId": "17D71CDE-3111-459B-8520-F62E0D5D2972",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:open-xchange:ox_app_suite:7.10.6:rev29:*:*:*:*:*:*",
              "matchCriteriaId": "6D808ED6-F819-4014-BD24-4537D52DDFB0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OX App Suite before 7.10.6-rev20 allows XSS via upsell ads."
    }
  ],
  "id": "CVE-2022-43696",
  "lastModified": "2025-02-06T16:15:30.750",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-04-15T02:15:07.097",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://open-xchange.com"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/fulldisclosure/2023/Feb/3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://open-xchange.com"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://seclists.org/fulldisclosure/2023/Feb/3"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2022-43696

Vulnerability from cvelistv5

ghsa-p97x-fwwh-9fgq

Vulnerability from github

OXAS-ADV-2022-0002

Vulnerability from csaf_ox

oxas-adv-2022-0002

Vulnerability from csaf_ox

gsd-2022-43696

Vulnerability from gsd

fkie_cve-2022-43696

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature