[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package
From: Andrea Intilangelo <andrea@xxxxxxxxxxxxxx>
Date: Thu, 16 May 2024 22:36:24 +0300

CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop 
package

> [Suggested description]
> The WebTop package for NethServer 7 and 8 allows stored XSS (for example, via 
> the Subject field if an e-mail message).
> 
> ------------------------------------------
> 
> [Additional Information]
> NethServer module installed as WebTop, produced by Sonicle, is affected by a 
> stored cross-site scripting (XSS) vulnerability due to insufficient input 
> sanitization and output escaping which allows an attacker to store a 
> malicious payload as to execute arbitrary web scripts or HTML.
> 
> If malicious payload code is inserted within the subject field (as an 
> example) of an email, it will be executed once the page is loaded through its 
> frontend.
> 
> Keep in extreme consideration and urgency that this vulnerability reside in 
> the security-oriented server (and firewalling) distribution called NethServer.
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Cross Site Scripting (XSS)
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Nethesis / Sonicle
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> NethServer - 7
> NethServer - 8
> 
> ------------------------------------------
> 
> [Affected Component]
> Affected component: its mail/webmail module
> 
> ------------------------------------------
> 
> [Attack Type]
> Remote
> 
> ------------------------------------------
> 
> [Impact Code execution]
> true
> 
> ------------------------------------------
> 
> [Impact Denial of Service]
> true
> 
> ------------------------------------------
> 
> [Impact Escalation of Privileges]
> true
> 
> ------------------------------------------
> 
> [Impact Information Disclosure]
> true
> 
> ------------------------------------------
> 
> [Attack Vectors]
> Malicious payload inserted within (in example) the subject field of an email 
> will be executed once the page is loaded.
> 
> ------------------------------------------
> 
> [Reference]
> https://www.nethserver.org
> https://github.com/NethServer/webtop5
> https://github.com/NethServer/ns8-webtop
> 
> ------------------------------------------
> 
> [Discoverer]
> Intilangelo Andrea

Use CVE-2024-34058.

Additional info:

NethServer is an Open Source operating system for the Linux enthusiast, 
designed for small offices and medium enterprises. From their website: "It's 
simple, secure and flexible" and "ready to deliver your messages, to protect 
your network with the built-in firewall, share your files and much more, 
everything on the same system."

Unauthenticated stored XSS vulnerability due not adequately sanitized input or 
escaped output for email subject exists in the provided Groupware, a 
collaboration suite of services accessible via web through any HTML5 browser, 
smartphone or tablet.
It can be leveraged for a nearly zero-click attack.

CVSS score: tbd* (but "High")
CVSS vector: tbd*
CWE: CWE-79

*Needs to be calculated, taking into consideration the initial partial base 
string "CVSS:3.1/AV:N/AC:L/PR:N" since the Privileges Required of who send the 
mail with the payload is none as well as User Interaction (who is receiving the 
mail, just visualizing it could trigger the payload - like, for example, to 
grab session cookie) despite arguable by someone, Scope and C/I/A (surely from 
Low to High) must be contextualized from the perspective of the application, 
what it is used for, contains/impacts and is connected to it: indeed, being a 
sensitive component "through a modern user interface and a single 
authentication, it allows access to company mail, calendars, contacts, tasks, 
documents and much more, in a shared and secure platform" (quoting the product 
description), that means any kind of highly confidential information, even 
connected cloud instance (also outside the private network) and mobile devices 
synchronization.

https://www.cve.org/CVERecord?id=CVE-2024-34058

Discovered and reported by Andrea Intilangelo


Timeline:

2024-01-03: Vulnerability discovered, kept as private 0day for further 
verification
2024-01-16: Request for CVE reservation & Multi-Party vulnerability 
coordination and disclosure
2024-04-23: Contacts with vendor for: details, acknowledgments and to 
coordinate the responsible disclosure
2024-04-30: Assigned CVE number: CVE-2024-34058
2024-05-06: Vendor agreed to the proposed responsible disclosure date (May 17)
2024-05-10: Shared a PoC requested by the vendor showing the vulnerability
2024-05-17: Disclosure
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] SEC Consult SA-20240513-0 :: Tolerating Self-Signed Certificates in SAP® Cloud Connector
Next by Date: [FD] asterisk release 18.23.1
Previous by thread: [FD] SEC Consult SA-20240513-0 :: Tolerating Self-Signed Certificates in SAP® Cloud Connector
Next by thread: [FD] asterisk release 18.23.1
Index(es):
- Date
- Thread