COYO 9.0.8 / 10.0.11 / 12.0.4 Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2018-032  
Product: COYO  
Manufacturer: COYO GmbH  
Affected Version(s): 9.0.8, 10.0.11, 12.0.4  
Tested Version(s): 9.0.8, 10.0.11, 10.0.33, 12.0.4  
Vulnerability Type: Cross-Site Scripting (CWE-79)   
Risk Level: High  
Solution Status: Fixed  
Manufacturer Notification: 2018-09-06   
Solution Date: 2019-01-16   
Public Disclosure: 2019-02-01   
CVE Reference: CVE-2018-16519  
Author of Advisory: Simon Moser, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
COYO is a social intranet software.  
  
The manufacturer describes the product as follows (see [1]):  
  
"COYO is an integrated platform for your official company news, social  
collaboration and team messaging."  
  
Due to a missing validation of URLs, COYO is vulnerable to persistent  
cross-site scripting  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
For URLs used by "iFrame" widgets, the server does not validate if they  
contain JavaScript calls. Thereby, it is possible to execute JavaScript  
code in the context of a user visiting a site prepared with a malicous  
widget.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
* Create a page  
* Add app > Content  
* Add new widget > iFrame  
* For URL, insert 'javascript:alert("SySS XSS");' and save  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
Update to the current version of COYO  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2018-09-05: Vulnerability discovered  
2018-09-06: Vulnerability reported to manufacturer  
2018-10-22: Disclosure postponed until release of 13.0.0  
2019-01-16: Release of a fixed version  
2019-02-01: Public disclosure of this advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for COYO  
https://www.coyoapp.com/en/home  
[2] SySS Security Advisory SYSS-2018-032  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-032.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/news/responsible-disclosure-policy/  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Simon Moser of SySS GmbH.  
  
E-Mail: [email protected]  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Simon_Moser.asc  
Key ID: 0x5FF2CFC6  
Key Fingerprint: E3C2 A86E 530D 8BD3 C40B 6542 8376 5B89 5FF2 CFC6  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web  
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: https://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQEzBAEBCgAdFiEE48KoblMNi9PEC2VCg3ZbiV/yz8YFAlxPeQoACgkQg3ZbiV/y  
z8bxnAf/RST+6oAzldQiyyLAS1dTaqQ7afXgxQ33f4I9Gpex4BiarEh2dhyEvhTS  
vykbX4Ycmt/iQ6V5ZfLqxJew1gdfKPyvzD9YbboYd2lgmurpzezhKhCg+ROXvhOg  
lCGmsvlK4Q3X4oELA91Y0hPrM4Z9gdEjFmmYYkwgQHLI7fqfFkDsuNF3Vu1J45DX  
pXOBLTyiF+PIecdcVc93mvzf7R0JC2e/j6fW+JFcgVLo3q71lrSLinf/64SPMYJP  
fFaLO7WHP2LLaCvnerlSSsFeLww9gGftCU1fcqIcvE4GkjI/GdCIFEgw3x0BJY5O  
LtG89db2FszTMzUHWdfHMOkW03JJzw==  
=1PqU  
-----END PGP SIGNATURE-----  
  
`