Open-Xchange fixes for RCE
Open-Xchange, a popular infrastructure provider has released fixes for several security vulnerabilities impacting OX App Suite. A secure email and collaboration software designed for telcos, web hosting firms, and service providers.
The latest patch release includes fixes for two RCE vulnerabilities that were discovered in the software’s document converter component. CVE-2022-23100 and CVE-2022-24405 earned CVSS scores of 8.2 and 7.3.
The document converter API was also found to harbor a server-side request forgery (SSRF) vulnerability (CVE-2022-24406) that potentially allowed attackers to predict multipart-form data boundaries and overwrite its content.
Further down the severity list are two cross-site scripting (XSS) flaws impacting OX App Suite (CVE-2022-23099, CVE-2022-23101). To exploit these flaws, an attacker would need to force a victim to click on a malicious link.
In the wake of the Log4Shell issue that rocked the global software development industry last December, OX App Suite also includes an update that addresses a similar potential issue in the Logback component (CVE-2021-42550).
The vulnerabilities impact OX App Suite versions 7.10.6 and earlier. They have all been fixed by the vendor in various branch updates.