lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <A062757C-97C2-4799-91C7-00D19D53399A@intilangelo.it>
Date: Thu, 16 May 2024 22:36:24 +0300
From: Andrea Intilangelo <andrea@...ilangelo.it>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting
 (XSS) in WebTop package

CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package

> [Suggested description]
> The WebTop package for NethServer 7 and 8 allows stored XSS (for example, via the Subject field if an e-mail message).
> 
> ------------------------------------------
> 
> [Additional Information]
> NethServer module installed as WebTop, produced by Sonicle, is affected by a stored cross-site scripting (XSS) vulnerability due to insufficient input sanitization and output escaping which allows an attacker to store a malicious payload as to execute arbitrary web scripts or HTML.
> 
> If malicious payload code is inserted within the subject field (as an example) of an email, it will be executed once the page is loaded through its frontend.
> 
> Keep in extreme consideration and urgency that this vulnerability reside in the security-oriented server (and firewalling) distribution called NethServer.
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Cross Site Scripting (XSS)
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Nethesis / Sonicle
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> NethServer - 7
> NethServer - 8
> 
> ------------------------------------------
> 
> [Affected Component]
> Affected component: its mail/webmail module
> 
> ------------------------------------------
> 
> [Attack Type]
> Remote
> 
> ------------------------------------------
> 
> [Impact Code execution]
> true
> 
> ------------------------------------------
> 
> [Impact Denial of Service]
> true
> 
> ------------------------------------------
> 
> [Impact Escalation of Privileges]
> true
> 
> ------------------------------------------
> 
> [Impact Information Disclosure]
> true
> 
> ------------------------------------------
> 
> [Attack Vectors]
> Malicious payload inserted within (in example) the subject field of an email will be executed once the page is loaded.
> 
> ------------------------------------------
> 
> [Reference]
> https://www.nethserver.org
> https://github.com/NethServer/webtop5
> https://github.com/NethServer/ns8-webtop
> 
> ------------------------------------------
> 
> [Discoverer]
> Intilangelo Andrea

Use CVE-2024-34058.

Additional info:

NethServer is an Open Source operating system for the Linux enthusiast, designed for small offices and medium enterprises. From their website: "It's simple, secure and flexible" and "ready to deliver your messages, to protect your network with the built-in firewall, share your files and much more, everything on the same system."

Unauthenticated stored XSS vulnerability due not adequately sanitized input or escaped output for email subject exists in the provided Groupware, a collaboration suite of services accessible via web through any HTML5 browser, smartphone or tablet.
It can be leveraged for a nearly zero-click attack.

CVSS score: tbd* (but "High")
CVSS vector: tbd*
CWE: CWE-79

*Needs to be calculated, taking into consideration the initial partial base string "CVSS:3.1/AV:N/AC:L/PR:N" since the Privileges Required of who send the mail with the payload is none as well as User Interaction (who is receiving the mail, just visualizing it could trigger the payload - like, for example, to grab session cookie) despite arguable by someone, Scope and C/I/A (surely from Low to High) must be contextualized from the perspective of the application, what it is used for, contains/impacts and is connected to it: indeed, being a sensitive component "through a modern user interface and a single authentication, it allows access to company mail, calendars, contacts, tasks, documents and much more, in a shared and secure platform" (quoting the product description), that means any kind of highly confidential information, even connected cloud instance (also outside the private network) and mobile devices synchronization.

https://www.cve.org/CVERecord?id=CVE-2024-34058

Discovered and reported by Andrea Intilangelo


Timeline:

2024-01-03: Vulnerability discovered, kept as private 0day for further verification
2024-01-16: Request for CVE reservation & Multi-Party vulnerability coordination and disclosure
2024-04-23: Contacts with vendor for: details, acknowledgments and to coordinate the responsible disclosure
2024-04-30: Assigned CVE number: CVE-2024-34058
2024-05-06: Vendor agreed to the proposed responsible disclosure date (May 17)
2024-05-10: Shared a PoC requested by the vendor showing the vulnerability
2024-05-17: Disclosure
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ