Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp517907lqo; Thu, 16 May 2024 12:56:53 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVL4IOPZotKG07dXLXdfKbf/CrGjF93OeVAomDVJIAb9RGvU7vw3SMEXSZ9hTXkmFIbVXc174qKBVlp/usb1TLQ0B6ZlbEk8I97kHEu4w== X-Google-Smtp-Source: AGHT+IEN9bDWr6pG3c15r4teGz+ylFAOmt7fbeaMIDplx+76UDdqAOILvZLvlV7UKLhBY9sGFTgx X-Received: by 2002:a50:f60d:0:b0:572:9474:5959 with SMTP id 4fb4d7f45d1cf-5734d59062emr12548293a12.8.1715889412789; Thu, 16 May 2024 12:56:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715889412; cv=none; d=google.com; s=arc-20160816; b=sUohhUWyFrwfWscpMJfDCjbY53UFHcSOJ/xjB+3hEQFVbU6JgCOlQ2drc0tuluJR5E CHGKWxo75J6vW4GXJPwUvFN0ioBcQP+0FVzhEtgfR0TIbP8KKMGJ6bpuBCgxXRyz/+69 9PlEpZ5VxA8HwXCQ09ryQ66b9sRqtpf+wC9Hjr47NpQsvN2hCqnQ1KYsHc80w1ab2mmX yHo5pEJ7qaPJnp38/iEeINkK1MfmugEsJVgiAknuXrvFsURBYRW5QDGQkVZepiyQR2Ar GN6MIJOoO12KO4QuZnFvDe2EaL1yJMXWjYDDc4gPLAQkyrz49ouBTu5GWs/zlN/7RkiS J6aA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:autocrypt:content-transfer-encoding:mime-version:message-id :references:in-reply-to:to:from:date:dkim-signature:delivered-to :delivered-to:reply-to:list-id:list-subscribe:list-unsubscribe :list-help:list-post:precedence:mailing-list; bh=f54UUu0yFq737rfCDftX0mLpkXrIAttKiwfiWeY2U3g=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=l4JLYWSlMpqcqZkp6gJcM8hW+2cd2Io9zQnAgCF3lHO6WOv9yUoiFX+BmYtxX5r72/ rbgDEPpezjQqewKEUiy7WX47vVmqhAEetN5uopamzWGy8s/A6VDPNyl82PA0s6Dmskd9 onKhmtZiWkJrfInTYpFnJYX9xlTqhnn+lC6CWTraomYg6+8E4zKE80uxwJoDbLg/fR2t rs6b6JnKj5YXHONgbBSIdjRFTbvAhFeK43sNYM9RVSpkmXrSmThMvi/io3syiX0GxLyq GuusfNyjmkZ+Cy+Buho0XvW6wDZEYq6i70ZzPzdecy8d3Yb5ohYcEmaxjlOG5y64vA1b lHwg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@aruba.it header.s=a1 header.b=O6CIAr3n; spf=pass (google.com: domain of oss-security-return-30154-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30154-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intilangelo.it Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id 4fb4d7f45d1cf-574ea6652a7si3332758a12.40.2024.05.16.12.56.52 for ; Thu, 16 May 2024 12:56:52 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30154-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@aruba.it header.s=a1 header.b=O6CIAr3n; spf=pass (google.com: domain of oss-security-return-30154-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30154-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intilangelo.it Received: (qmail 30298 invoked by uid 550); 16 May 2024 19:56:32 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Delivered-To: moderator for oss-security@lists.openwall.com Received: (qmail 21980 invoked from network); 16 May 2024 19:37:41 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aruba.it; s=a1; t=1715888253; bh=f54UUu0yFq737rfCDftX0mLpkXrIAttKiwfiWeY2U3g=; h=Date:From:To:Subject:MIME-Version:Content-Type; b=O6CIAr3n9vc7PFlEmYxNg9b/PMHyauh0tl6Hk8WUjRANXtHHfqH9gkT5JXEVhtpXK 0B5x047S72VnBSPqYSbIGwaEuV+d3cLlbCtz0csMvyN6iPL9gAIKXdbBmclGUOdjsZ dwYqBTPoAwnat7rpQoRWuw8sV5cQ85fQ0ImSYAxVACvyYdz59cgZsjgBvOf0zjCYXU iIx0SrBZQN+Ltv0q49YSa6I35adyPaMSpDljIBi+rbBsyQAnEUhToCULp/mHcakDC5 IgaRqfGTeGs5O//1tr9B5AunTsFIJTm7G4UacIZ190bf+Hvc3cDiUaUxaRLYxgzMBn dg/ENWOf7yFIw== Date: Thu, 16 May 2024 22:37:32 +0300 From: Andrea Intilangelo To: oss-security@lists.openwall.com In-Reply-To: <20240430035913.XHeLj%cve-request@mitre.org> References: <20240430035913.XHeLj%cve-request@mitre.org> Message-ID: <24FB8424-5C27-487C-ADBD-FB7F5C61B841@intilangelo.it> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Autocrypt: addr=andrea@intilangelo.it; keydata= mQINBF+3wp0BEACi3S5TRi8eFo3sSjEpWTx5GYrhgaS094b3IlrcYGA6oUVYZt3IRmHcZGiIb6Gj Qh0qVmOLAoChiN5e/BFKcGVOtxO53yHCz5e8cNgozfwm+QG2XerAvm0IEqxqlwgzHIuaM1cJbPWe wjTGp5IGnUqt0iPyRtKvqsRuJp/FRtOyBKHP5JnevvDyiT0tM9pD7nU+3tiF4EL1yLwJ84knwnOC 45GGPbxajMezzycBEYGvBff+mt2PzcYCwUxFij7rGbauuM+4fjr0yB+Mm0APyKWfhNwLmyskotqE b+NYSLPPFgXAs1qE8fVJY22BbgYX8nIu0JBLkkoqWFpZKupXMkyAY4Eul7ihnYvhZpcCDSTiG0SP g56d3F6LA5uo3W33fhPvHojn1qmZSS2acaLymPVNK+7Yl1CbRTJM3QvUhs/ln32IpI49Z6xw+sbn tMFEU6RXklKBoH6eANy1IZkNV0iCVPC/5bENKmGDatAU2W0gHj2V62p9Ul+szHx3kBIjGoHlolb8 nKP+ptNbh3shHfAGqMwhl1KWTBLclEMh3y/86d9lJSOq9BywUmk0befSqS74Tbq7jUHSzNoKN+VQ R/pl+OpyOFa3yXcrEfsZk4we/ApK2GecwA8EcFvDDpD1z60nUonWzePgsrQIAzip33kKPYJAtZ/3 QrKteEQnW/oWewARAQABtB5BbmRyZWEgPGFuZHJlYUBpbnRpbGFuZ2Vsby5pdD6JAjAEEwEKABoE CwkIBwIVCgIWAQIZAQWCZPGmpwKeAQKbAwAKCRANzBFLAMt2kKNoD/9pJOU/RHN020cBIclAMdZ+ bK4ZtgFVqXRnV0iH/yfoukvzQRwj9GOoxRkqynE81vas0op4TEv4Uxr3s8bxM3kmQ+nsc9hNvsNA 6hgBX7pE2t9CLbrup3xrM107nNIv63tveIuACbkOsdwIr+S2TVp6xBiu6g5doud6czjP0BLp1PwQ Am3J3tabaymlg1s2thLOEa8KDHpOuD0fBuCRKN5VTlja/+np/B5DujeZNOZn+Y4lo5A28lHqAvsd 56gjkr8terCRZFxHqUNAWxfKcrhBbccpVkxUg4+Wm80wGfqjYSE1HFqEgzs1HIIwCzavJPkuDOd7 EJrMrL3OcLBasY7NDLkoHvu+2VK4WjlBfnufo+ab6RHTf1v0ZGrkaIr3LbK09BKjsgxwXdUFbL/6 bUEVb6A84Stw5do6TL32VQFnV9R+IvBUTLcdCmw2FgZr9K2tCrbmDfkLv+y9YBjaad4QuVnpCIWf dQgeaA0gVqqiHJf6PxoE7/P54Lgm33GSIGIkJsZb+CLsXlXFaGJ2gOXL9Okqxo31ES/4sar09dSE Ghje2y08T5wfh6hWogrzMsM97EdRVEiPd/SFAVx7nPne5ll8rXeOyqjicWp9UUCyqVAvp4iktg35 Ic+2jK5a06j3FnwXdpaBTI0v3CCqedeosGWLK6ZD9Xc8vmDmENv4NbkCDQRft8KdARAA0L/kKBoa /vE/B7rB0sop9y+SWjuuUACOWOyZDslY/IvTgp0s4eabP1DVoCld1uLqAAguSzT25eP9wlN+AW/m OMNPTGRYuHinJcKlAIpFUni9+5zwwkXyONox7PzM0JS4/iPq8HksxxeF/rQWyQ+tPjRSCG5dwwq+ t/8/Rk/QCNjsupv1EsVHaHXMArWVjwsfMLCLDqqgPa2L04F7I9laVtLC8LefClbp7uHuJutvKPks nT0oS6RAKiWaUp/X548JU1lF9U/F0xBfHalUX74TkGTcNsjspq245f+QDIfuTyCviQ02g0IuElGb iOLGCA3+YxpFJpIupP75ddLTrTu6klwG1pFs7zPi61eCAf/pp0ur5u/qj3q4JgaWVkP7XOX5ZbaS zwUBCfmwHYH2HTRosrGC5dE4+zHS8aOEQo5ElrpuzEL92ffyKQKXl9Np5Kq9fH1mnv+A+9jkEjmm gvrLwr659xK2rBdtOasQhrk+9vfqUdwq0AC0PvGJUrLRHvhqVOSheEynbOOXmRIJJh56xhT1F5Bm uPar9iv3i4Pyd/sBDp0QxPpALtOlaw+wcNpCcmvMckfVQ0dLlMmp54DJHhrveQcw9iWfx9BrrVhR F3rgBs2p8wsX6ptgS/fRBDqOhguNiom0HSi5FeJRqKjujl2D89f5A/dXzQylMnCCpqMAEQEAAYkC NgQYAQgAIBYhBNCwd4H1RNbWmf9VbQ3MEUsAy3aQBQJft8KdAhsMAAoJEA3MEUsAy3aQAOAP/iVw wlUl4rDanfL5fXr4qAhRWJndacEtOua5kdFXMa1cmj9nNxi4vzMxvp4SGr2Rf+8+3P2pxEC/S065 3mq36ozQEp5+bS3ahSmTb8U8dtfGPTwSWvFsPhvRi3lfE7rsp17Z4HASsVe/kiIKa/aQ9U1dCeFt kWuHGmcU8IcgWCp687uN/+dsq/+6/cpGw0r1rggNwXwvbFAtZhlBSMstmovWh4PutWd0yyY84Fow kJ2rZKuR/DhepwlJK1TtfeEpiZMqLFk3fLulihdkSgm8I+vcHUcXtOOlX5sRqyXIHJAP+gJ4cNbV wtVtIx8GE+Rltawg8Kvhebnher9hv4XxpN8GdW3gOC3oKxbgw1wJ+ZNM4mV3DG+EHTCMpLaTP/ZX qO4ZG3xwEBROmnyMcTMwn7LMORlMHzI4lII9P0X+yV7/vhYITrTq58gGPvhM3H48JA+1iwvw/WVM 8JFoJ+2EzbcDPxR6DSY56AijLpcgN532oixyY1Bdx0p/ReIPr6UBZ2hT47cd/7QsOOKaS7uj8zA/ fv5drNMOEavaRsG8eP1qbNG3v+ZvqqT5+600iCUor14xGfP2hy6zVpwn7DWk6708ABHzVbIZ+y49 NVr/ZbZvhbhobJyXhiSTsVelB7oVdTLQujIcyOjg1iQoFNXs5VlOK46BbEu/IdvyVwbWCjrL X-CMAE-Envelope: MS4xfHG9NF7pE663fjHC4eKHwNK1dFmY9UK0VRCYQlWgI/FL4lon2Me+a8CRaaotCQWpLlp8wbPxR+3kEx39xe2z+aYSeqZk2JHJlDS1rPpS3tVtaUpdinWS zeR9Xfj0vFT2Gg6ZjlfaEBVe7pcFL5hnWSq9gCCKatDE+2pa+QVKxsk0TjGgcybm995rvC2GtnE1z4xtoGbtW2COFXOAdtUoe1E= Subject: [oss-security] =?US-ASCII?Q?CVE-2024-34058=3A_Nethserver_7_=26_8_stored_cr?= =?US-ASCII?Q?oss-site_scripting_=28XSS=29_in_WebTop_package?= CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTo= p package > [Suggested description] > The WebTop package for NethServer 7 and 8 allows stored XSS (for example= , via the Subject field if an e-mail message)=2E >=20 > ------------------------------------------ >=20 > [Additional Information] > NethServer module installed as WebTop, produced by Sonicle, is affected = by a stored cross-site scripting (XSS) vulnerability due to insufficient in= put sanitization and output escaping which allows an attacker to store a ma= licious payload as to execute arbitrary web scripts or HTML=2E >=20 > If malicious payload code is inserted within the subject field (as an ex= ample) of an email, it will be executed once the page is loaded through its= frontend=2E >=20 > Keep in extreme consideration and urgency that this vulnerability reside= in the security-oriented server (and firewalling) distribution called Neth= Server=2E >=20 > ------------------------------------------ >=20 > [Vulnerability Type] > Cross Site Scripting (XSS) >=20 > ------------------------------------------ >=20 > [Vendor of Product] > Nethesis / Sonicle >=20 > ------------------------------------------ >=20 > [Affected Product Code Base] > NethServer - 7 > NethServer - 8 >=20 > ------------------------------------------ >=20 > [Affected Component] > Affected component: its mail/webmail module >=20 > ------------------------------------------ >=20 > [Attack Type] > Remote >=20 > ------------------------------------------ >=20 > [Impact Code execution] > true >=20 > ------------------------------------------ >=20 > [Impact Denial of Service] > true >=20 > ------------------------------------------ >=20 > [Impact Escalation of Privileges] > true >=20 > ------------------------------------------ >=20 > [Impact Information Disclosure] > true >=20 > ------------------------------------------ >=20 > [Attack Vectors] > Malicious payload inserted within (in example) the subject field of an e= mail will be executed once the page is loaded=2E >=20 > ------------------------------------------ >=20 > [Reference] > https://www=2Enethserver=2Eorg > https://github=2Ecom/NethServer/webtop5 > https://github=2Ecom/NethServer/ns8-webtop >=20 > ------------------------------------------ >=20 > [Discoverer] > Intilangelo Andrea Use CVE-2024-34058=2E Additional info: NethServer is an Open Source operating system for the Linux enthusiast, de= signed for small offices and medium enterprises=2E From their website: "It'= s simple, secure and flexible" and "ready to deliver your messages, to prot= ect your network with the built-in firewall, share your files and much more= , everything on the same system=2E" Unauthenticated stored XSS vulnerability due not adequately sanitized inpu= t or escaped output for email subject exists in the provided Groupware, a c= ollaboration suite of services accessible via web through any HTML5 browser= , smartphone or tablet=2E It can be leveraged for a nearly zero-click attack=2E CVSS score: tbd* (but "High") CVSS vector: tbd* CWE: CWE-79 *Needs to be calculated, taking into consideration the initial partial bas= e string "CVSS:3=2E1/AV:N/AC:L/PR:N" since the Privileges Required of who s= end the mail with the payload is none as well as User Interaction (who is r= eceiving the mail, just visualizing it could trigger the payload - like, fo= r example, to grab session cookie) despite arguable by someone, Scope and C= /I/A (surely from Low to High) must be contextualized from the perspective = of the application, what it is used for, contains/impacts and is connected = to it: indeed, being a sensitive component "through a modern user interface= and a single authentication, it allows access to company mail, calendars, = contacts, tasks, documents and much more, in a shared and secure platform" = (quoting the product description), that means any kind of highly confidenti= al information, even connected cloud instance (also outside the private net= work) and mobile devices synchronization=2E https://www=2Ecve=2Eorg/CVERecord?id=3DCVE-2024-34058 Discovered and reported by Andrea Intilangelo Timeline: 2024-01-03: Vulnerability discovered, kept as private 0day for further ver= ification 2024-01-16: Request for CVE reservation & Multi-Party vulnerability coordi= nation and disclosure 2024-04-23: Contacts with vendor for: details, acknowledgments and to coor= dinate the responsible disclosure 2024-04-30: Assigned CVE number: CVE-2024-34058 2024-05-06: Vendor agreed to the proposed responsible disclosure date (May= 17) 2024-05-10: Shared a PoC requested by the vendor showing the vulnerability 2024-05-17: Disclosure