Vulners
Lucene search
Nethserver 7 / 8 Cross Site Scripting
🗓️ 21 May 2024 00:00:00Reported by Andrea IntilangeloType 
packetstorm🔗 packetstormsecurity.com👁 515 Views
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | NethServer 跨站脚本漏洞 | 17 May 202400:00 | – | cnnvd |
 | CVE-2024-34058 | 17 May 202400:00 | – | cve |
 | CVE-2024-34058 | 17 May 202400:00 | – | cvelist |
 | CVE-2024-34058 | 17 May 202416:15 | – | nvd |
 | PT-2024-25671 · Webtop +1 · Webtop +1 | 16 May 202400:00 | – | ptsecurity |
 | CVE-2024-34058 | 9 Jan 202609:35 | – | redhatcve |
 | CVE-2024-34058 | 17 May 202400:00 | – | vulnrichment |
`CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package
[Suggested description]
The WebTop package for NethServer 7 and 8 allows stored XSS (for example, via the Subject field if an e-mail message).
------------------------------------------
[Additional Information]
NethServer module installed as WebTop, produced by Sonicle, is affected by a stored cross-site scripting (XSS) vulnerability due to insufficient input sanitization and output escaping which allows an attacker to store a malicious payload as to execute arbitrary web scripts or HTML.
If malicious payload code is inserted within the subject field (as an example) of an email, it will be executed once the page is loaded through its frontend.
Keep in extreme consideration and urgency that this vulnerability reside in the security-oriented server (and firewalling) distribution called NethServer.
------------------------------------------
[Vulnerability Type]
Cross Site Scripting (XSS)
------------------------------------------
[Vendor of Product]
Nethesis / Sonicle
------------------------------------------
[Affected Product Code Base]
NethServer - 7
NethServer - 8
------------------------------------------
[Affected Component]
Affected component: its mail/webmail module
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[Impact Escalation of Privileges]
true
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
Malicious payload inserted within (in example) the subject field of an email will be executed once the page is loaded.
------------------------------------------
[Reference]
https://www.nethserver.org
https://github.com/NethServer/webtop5
https://github.com/NethServer/ns8-webtop
------------------------------------------
[Discoverer]
Intilangelo Andrea
Use CVE-2024-34058.
Additional info:
NethServer is an Open Source operating system for the Linux enthusiast, designed for small offices and medium enterprises. From their website: "It's simple, secure and flexible" and "ready to deliver your messages, to protect your network with the built-in firewall, share your files and much more, everything on the same system."
Unauthenticated stored XSS vulnerability due not adequately sanitized input or escaped output for email subject exists in the provided Groupware, a collaboration suite of services accessible via web through any HTML5 browser, smartphone or tablet.
It can be leveraged for a nearly zero-click attack.
CVSS score: tbd* (but "High")
CVSS vector: tbd*
CWE: CWE-79
*Needs to be calculated, taking into consideration the initial partial base string "CVSS:3.1/AV:N/AC:L/PR:N" since the Privileges Required of who send the mail with the payload is none as well as User Interaction (who is receiving the mail, just visualizing it could trigger the payload - like, for example, to grab session cookie) despite arguable by someone, Scope and C/I/A (surely from Low to High) must be contextualized from the perspective of the application, what it is used for, contains/impacts and is connected to it: indeed, being a sensitive component "through a modern user interface and a single authentication, it allows access to company mail, calendars, contacts, tasks, documents and much more, in a shared and secure platform" (quoting the product description), that means any kind of highly confidential information, even connected cloud instance (also outside the private network) and mobile devices synchronization.
https://www.cve.org/CVERecord?id=CVE-2024-34058
Discovered and reported by Andrea Intilangelo
Timeline:
2024-01-03: Vulnerability discovered, kept as private 0day for further verification
2024-01-16: Request for CVE reservation & Multi-Party vulnerability coordination and disclosure
2024-04-23: Contacts with vendor for: details, acknowledgments and to coordinate the responsible disclosure
2024-04-30: Assigned CVE number: CVE-2024-34058
2024-05-06: Vendor agreed to the proposed responsible disclosure date (May 17)
2024-05-10: Shared a PoC requested by the vendor showing the vulnerability
2024-05-17: Disclosure
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 May 2024 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.00363