Open-Xchange (OX) App Suite is a popular web-based groupware solution used for email, calendar, and document collaboration. In 2022, a Cross-Site Scripting (XSS) vulnerability — CVE-2022-43697 — was discovered, allowing attackers to execute malicious JavaScript in a user’s browser. This vulnerability was found in the activity tracking adapter, more specifically in the *jslob* definitions, and it impacted OX App Suite installations before version 7.10.6-rev30.
In this article, we’ll walk through the details of the vulnerability, see how the exploit works, and offer advice for mitigation.
What is CVE-2022-43697?
CVE-2022-43697 allows a remote attacker to inject malicious JavaScript into OX App Suite instances that use vulnerable versions (before 7.10.6-rev30). The injection point is the *activity tracking adapter*, which makes use of JavaScript Load Balancer (jslob) objects.
> Impact: If exploited, an attacker can make the victim’s browser run crafted scripts, leading to session hijacking, phishing, or further network attacks.
References
- OX App Suite Security Advisory
- NVD Entry for CVE-2022-43697
- OX App Suite Changelog
How Does the Vulnerability Work?
The vulnerability lies in how user-controlled data is handled in the activity tracking adapter's *jslob* files. An attacker can craft input, often via HTTP parameters or manipulated requests, which isn't sanitized before being rendered in the browser.
User Action: A user performs an action that generates an event logged by the activity tracker.
2. Malicious Input: The attacker supplies data (such as a specially crafted string in their name or action) that includes malicious JavaScript.
3. Rendering: The unsanitized data gets stored and displayed to other users by the web UI (activity feed, notifications, etc).
4. Execution: When another user views the affected page, the browser executes the attacker’s code.
Example Exploit
Suppose that activity tracking logs contain user-generated fields that are not properly escaped. The following snippet demonstrates how an attacker could inject a payload using a crafted name or message:
// Imagine this is part of an OX App Suite activity feed renderer
function renderActivity(actor, action) {
// No escaping is performed!
return <div>${actor} ${action}</div>;
}
// Attacker submits:
let actor = 'Alice<script>alert("XSS")</script>';
let action = 'uploaded a file.';
// Rendering the activity
let output = renderActivity(actor, action);
// output: <div>Alice<script>alert("XSS")</script> uploaded a file.</div>
When displayed in another user's browser, the JavaScript executes, showing a malicious popup (or performing far worse actions).
Proof-of-Concept Steps
1. Register a new user with the name "><script>alert("Hacked")</script>.
Mitigation
- Update Now! Upgrade your OX App Suite to 7.10.6-rev30 or later. Patches fix the vulnerable code by properly sanitizing and escaping user input.
- Review Activity Tracking Configuration: Limit which user data gets displayed in logs and feeds, and add extra output encoding as needed.
Web Application Firewall (WAF): Deploy rules to block common XSS payloads.
- Sanitize Existing Data: Consider cleansing already stored logs, as old entries might still contain malicious code.
Original References and Links
- NVD: CVE-2022-43697
- OX App Suite Security Advisory OXSA-2022-0004
- OX App Suite Changelog
Conclusion
If you use OX App Suite, this XSS vulnerability can put all your users at risk. Always keep your groupware up to date, especially for business-critical applications. Vigilance with output escaping and user input validation is a must for all web application developers.
Patch now, and review your logs for signs of suspicious activity today.
*(Please use this information responsibly, for educational and defensive purposes only.)*
Timeline
Published on: 04/15/2023 02:15:00 UTC
Last modified on: 04/21/2023 04:16:00 UTC