An information security report has been revealed regarding the finding of multiple vulnerabilities in the productivity software Open-Xchange, some considered as severe. Most of the security flaws found allow threat actors to perform server-side request forgery.
Below is a brief report of the flaws found, in
addition to the methods used to mitigate their exploitation risk.
CVE-2019-18846: This is a server-side request forgery (SSRF) vulnerability present in One-Xchange versions 7.10.2 and earlier. The API for Attachments, Calendar, Tasks, and so on allows users to define references to email attachments that need to be added. This reference is not verified with an appropriate protocol and a host blacklist. Users could activate API calls that invoke local files or URLs. The content provided by these resources would be added as an attachment.
The flaw received a score of 6.5/10 on the Common
Vulnerability Scoring System (CVSS)
scale. Developers have already corrected the vulnerability, implementing a
protocol and host blacklist to avoid invoking file system references and local
CVE-2019-18846: A second SSRF vulnerability was
detected in the One-Xchange backend, present in versions 7.10.2 and earlier.
The RSS feature allows threat actors to add arbitrary data sources. To prevent
sensitive data from being exposed, a host blacklist and protocol whitelist were
implemented. Due to an error, the host blacklist was not checked in case the
protocol passed the whitelist
The exploitation of this failure would allow
mapping of the internal networks and potentially exposed services. The flaw
received a score of 5.0/10 on the CVSS scale, information security specialists
CVE-2019-9853: This is a lack of escape failure
present in versions 7.10.2 and earlier that affects the readerengine component in Open-Xchange. Existing vulnerabilities in
upstream projects could be used in the context of OX App Suite/OX Documents, so
developers updated recent versions of LibreOffice used by the readerengine component to prevent the
exploitation of flaws not directly related to this component, so this is
strictly a precautionary measure.
For more information on recently encountered
security flaws, exploits, cyberattacks, and malware analysis, you can visit the
official website of the International Institute of Cyber Security
(IICS), as well as website of technology companies currently working to
correct information security incidents.