CVE-2022-37310 in OX App Suite
Summary
by MITRE • 12/26/2022
OX App Suite through 7.10.6 allows XSS via a malicious capability to the metrics or help module, as demonstrated by a /#!!&app=io.ox/files&cap= URI.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/18/2026
The vulnerability CVE-2022-37310 represents a cross-site scripting weakness in OX App Suite version 7.10.6 and earlier, which enables attackers to inject malicious scripts into web applications through manipulated capability parameters. This issue specifically affects the metrics and help modules within the application framework, creating a persistent vector for malicious code execution that can compromise user sessions and data integrity.
The technical flaw manifests through improper input validation and sanitization of URI parameters, particularly the capability parameter within the application's routing mechanism. When a user navigates to a crafted URI such as /#!!&app=io.ox/files&cap=, the application fails to adequately sanitize the capability value before rendering it in the web interface. This oversight allows malicious actors to inject arbitrary JavaScript code that executes in the context of other users' sessions, leveraging the trust relationship between the browser and the application server.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to perform session hijacking, data exfiltration, and privilege escalation within the application environment. Security researchers have classified this vulnerability under CWE-79 - Improper Neutralization of Input During Web Page Generation, which directly relates to cross-site scripting vulnerabilities where user-controllable data is not properly escaped or validated before being rendered in web pages. The attack surface is particularly concerning given that the vulnerability affects core application modules that are frequently accessed by end users.
The attack vector demonstrates a sophisticated understanding of the application's URL routing system and capability-based access control mechanisms, allowing threat actors to manipulate the application's behavior through carefully crafted malicious parameters. This vulnerability can be exploited in conjunction with social engineering techniques to deliver payloads that persist across user sessions and can potentially escalate to full application compromise. The issue also aligns with ATT&CK technique T1059.007 - Command and Scripting Interpreter: JavaScript, as it enables execution of malicious javascript code through web-based interfaces.
Organizations using OX App Suite should implement immediate mitigations including input validation and sanitization of all URI parameters, particularly those related to application capabilities and routing. The recommended approach involves implementing strict content security policies, validating and escaping all user-provided input before rendering, and ensuring proper parameter sanitization in the application's routing layer. Additionally, security teams should consider implementing web application firewalls to detect and block suspicious URI patterns, and conduct thorough security assessments of the application's capability handling mechanisms. The vulnerability underscores the critical importance of input validation in web applications and the need for comprehensive security testing of routing and capability-based access control systems.