Critical vulnerability affecting Open-Xchange is revealed

An information security report has been revealed regarding the finding of multiple vulnerabilities in the productivity software Open-Xchange, some considered as severe. Most of the security flaws found allow threat actors to perform server-side request forgery.

Below is a brief report of the flaws found, in addition to the methods used to mitigate their exploitation risk.

CVE-2019-18846: This is a server-side request forgery (SSRF) vulnerability present in One-Xchange versions 7.10.2 and earlier. The API for Attachments, Calendar, Tasks, and so on allows users to define references to email attachments that need to be added. This reference is not verified with an appropriate protocol and a host blacklist. Users could activate API calls that invoke local files or URLs. The content provided by these resources would be added as an attachment. 

The flaw received a score of 6.5/10 on the Common Vulnerability Scoring System (CVSS) scale. Developers have already corrected the vulnerability, implementing a protocol and host blacklist to avoid invoking file system references and local addresses.

CVE-2019-18846: A second SSRF vulnerability was detected in the One-Xchange backend, present in versions 7.10.2 and earlier. The RSS feature allows threat actors to add arbitrary data sources. To prevent sensitive data from being exposed, a host blacklist and protocol whitelist were implemented. Due to an error, the host blacklist was not checked in case the protocol passed the whitelist

The exploitation of this failure would allow mapping of the internal networks and potentially exposed services. The flaw received a score of 5.0/10 on the CVSS scale, information security specialists mentioned.

CVE-2019-9853: This is a lack of escape failure present in versions 7.10.2 and earlier that affects the readerengine component in Open-Xchange. Existing vulnerabilities in upstream projects could be used in the context of OX App Suite/OX Documents, so developers updated recent versions of LibreOffice used by the readerengine component to prevent the exploitation of flaws not directly related to this component, so this is strictly a precautionary measure.    

For more information on recently encountered security flaws, exploits, cyberattacks, and malware analysis, you can visit the official website of the International Institute of Cyber Security (IICS), as well as website of technology companies currently working to correct information security incidents.