CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package

[Suggested description]
The WebTop package for NethServer 7 and 8 allows stored XSS (for example, via the Subject field if an e-mail message).

------------------------------------------

[Additional Information]
NethServer module installed as WebTop, produced by Sonicle, is affected by a stored cross-site scripting (XSS) vulnerability due to insufficient input sanitization and output escaping which allows an attacker to store a malicious payload as to execute arbitrary web scripts or HTML.

If malicious payload code is inserted within the subject field (as an example) of an email, it will be executed once the page is loaded through its frontend.

Keep in extreme consideration and urgency that this vulnerability reside in the security-oriented server (and firewalling) distribution called NethServer.

------------------------------------------

[Vulnerability Type]
Cross Site Scripting (XSS)

------------------------------------------

[Vendor of Product]
Nethesis / Sonicle

------------------------------------------

[Affected Product Code Base]
NethServer - 7
NethServer - 8

------------------------------------------

[Affected Component]
Affected component: its mail/webmail module

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Impact Denial of Service]
true

------------------------------------------

[Impact Escalation of Privileges]
true

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
Malicious payload inserted within (in example) the subject field of an email will be executed once the page is loaded.

------------------------------------------

[Reference]
https://www.nethserver.org
https://github.com/NethServer/webtop5
https://github.com/NethServer/ns8-webtop

------------------------------------------

[Discoverer]
Intilangelo Andrea

Use CVE-2024-34058.

Additional info:

NethServer is an Open Source operating system for the Linux enthusiast, designed for small offices and medium enterprises. From their website: "It's simple, secure and flexible" and "ready to deliver your messages, to protect your network with the built-in firewall, share your files and much more, everything on the same system."

Unauthenticated stored XSS vulnerability due not adequately sanitized input or escaped output for email subject exists in the provided Groupware, a collaboration suite of services accessible via web through any HTML5 browser, smartphone or tablet.
It can be leveraged for a nearly zero-click attack.

CVSS score: tbd* (but "High")
CVSS vector: tbd*
CWE: CWE-79

*Needs to be calculated, taking into consideration the initial partial base string "CVSS:3.1/AV:N/AC:L/PR:N" since the Privileges Required of who send the mail with the payload is none as well as User Interaction (who is receiving the mail, just visualizing it could trigger the payload - like, for example, to grab session cookie) despite arguable by someone, Scope and C/I/A (surely from Low to High) must be contextualized from the perspective of the application, what it is used for, contains/impacts and is connected to it: indeed, being a sensitive component "through a modern user interface and a single authentication, it allows access to company mail, calendars, contacts, tasks, documents and much more, in a shared and secure platform" (quoting the product description), that means any kind of highly confidential information, even connected cloud instance (also outside the private network) and mobile devices synchronization.

https://www.cve.org/CVERecord?id=CVE-2024-34058

Discovered and reported by Andrea Intilangelo


Timeline:

2024-01-03: Vulnerability discovered, kept as private 0day for further verification
2024-01-16: Request for CVE reservation & Multi-Party vulnerability coordination and disclosure
2024-04-23: Contacts with vendor for: details, acknowledgments and to coordinate the responsible disclosure
2024-04-30: Assigned CVE number: CVE-2024-34058
2024-05-06: Vendor agreed to the proposed responsible disclosure date (May 17)
2024-05-10: Shared a PoC requested by the vendor showing the vulnerability
2024-05-17: Disclosure