Internal reference: MWB-2315 Type: CWE-284 (Improper Access Control) Component: backend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite backend 7.10.6-rev51, OX App Suite backend 8.17 First fixed revision: OX App Suite backend 7.10.6-rev52, OX App Suite backend 8.18 Discovery date: 2023-09-21 Solution date: 2023-09-24 Disclosure date: 2023-09-25 CVE: CVE-2023-29051 CVSS: 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) Details: User-defined templates can bypass access control. User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Risk: Unauthorized users could discover and modify application state, including objects related to other users and contexts. No publicly available exploits are known. Solution: We now make sure that the switch to disable user-generated templates by default works as intended and will remove the feature in future generations of the product. --- Internal reference: OXUIB-2532 Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.6-rev34 First fixed revision: OX App Suite frontend 7.10.6-rev35 Discovery date: 2023-09-07 Solution date: 2023-09-24 Disclosure date: 2023-09-25 CVE: CVE-2023-29052 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Details: XSS in upsell portal widget (shop disclaimer). Users were able to define disclaimer texts for an upsell shop dialog that would contain script code that was not sanitized correctly. Risk: Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. No publicly available exploits are known. Solution: We added sanitization for this content. --- Internal reference: OXUIB-2533 Type: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')) Component: frontend Report confidence: Confirmed Solution status: Fixed by vendor Last affected revision: OX App Suite frontend 7.10.6-rev34 First fixed revision: OX App Suite frontend 7.10.6-rev35 Discovery date: 2023-09-07 Solution date: 2023-09-24 Disclosure date: 2023-09-25 CVE: CVE-2023-41710 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Details: XSS in upsell portal widget (shop URL). User-defined script code could be stored for a upsell related shop URL. This code was not correctly sanitized when adding it to DOM. Risk: Attackers could lure victims to user accounts with malicious script code and make them execute it in the context of a trusted domain. No publicly available exploits are known. Solution: We added sanitization for this content.