CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package

[Andrea Intilangelo <andrea () intilangelo it>]

CVE-2024-34058: Nethserver 7 & 8 stored cross-site scripting (XSS) in WebTop package

> [Suggested description]
> The WebTop package for NethServer 7 and 8 allows stored XSS (for example, via the Subject field if an e-mail message).
>
> ------------------------------------------
>
> [Additional Information]
> NethServer module installed as WebTop, produced by Sonicle, is affected by a stored cross-site scripting (XSS) 
> vulnerability due to insufficient input sanitization and output escaping which allows an attacker to store a 
> malicious payload as to execute arbitrary web scripts or HTML.
>
> If malicious payload code is inserted within the subject field (as an example) of an email, it will be executed once 
> the page is loaded through its frontend.
>
> Keep in extreme consideration and urgency that this vulnerability reside in the security-oriented server (and 
> firewalling) distribution called NethServer.
>
> ------------------------------------------
>
> [Vulnerability Type]
> Cross Site Scripting (XSS)
>
> ------------------------------------------
>
> [Vendor of Product]
> Nethesis / Sonicle
>
> ------------------------------------------
>
> [Affected Product Code Base]
> NethServer - 7
> NethServer - 8
>
> ------------------------------------------
>
> [Affected Component]
> Affected component: its mail/webmail module
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Impact Escalation of Privileges]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> Malicious payload inserted within (in example) the subject field of an email will be executed once the page is loaded.
>
> ------------------------------------------
>
> [Reference]
> https://www.nethserver.org
> https://github.com/NethServer/webtop5
> https://github.com/NethServer/ns8-webtop
>
> ------------------------------------------
>
> [Discoverer]
> Intilangelo Andrea

Use CVE-2024-34058.

Additional info:

NethServer is an Open Source operating system for the Linux enthusiast, designed for small offices and medium 
enterprises. From their website: "It's simple, secure and flexible" and "ready to deliver your messages, to protect 
your network with the built-in firewall, share your files and much more, everything on the same system."

Unauthenticated stored XSS vulnerability due not adequately sanitized input or escaped output for email subject exists 
in the provided Groupware, a collaboration suite of services accessible via web through any HTML5 browser, smartphone 
or tablet.
It can be leveraged for a nearly zero-click attack.

CVSS score: tbd* (but "High")
CVSS vector: tbd*
CWE: CWE-79

*Needs to be calculated, taking into consideration the initial partial base string "CVSS:3.1/AV:N/AC:L/PR:N" since the 
Privileges Required of who send the mail with the payload is none as well as User Interaction (who is receiving the 
mail, just visualizing it could trigger the payload - like, for example, to grab session cookie) despite arguable by 
someone, Scope and C/I/A (surely from Low to High) must be contextualized from the perspective of the application, what 
it is used for, contains/impacts and is connected to it: indeed, being a sensitive component "through a modern user 
interface and a single authentication, it allows access to company mail, calendars, contacts, tasks, documents and much 
more, in a shared and secure platform" (quoting the product description), that means any kind of highly confidential 
information, even connected cloud instance (also outside the private network) and mobile devices synchronization.

https://www.cve.org/CVERecord?id=CVE-2024-34058

Discovered and reported by Andrea Intilangelo


Timeline:

2024-01-03: Vulnerability discovered, kept as private 0day for further verification
2024-01-16: Request for CVE reservation & Multi-Party vulnerability coordination and disclosure
2024-04-23: Contacts with vendor for: details, acknowledgments and to coordinate the responsible disclosure
2024-04-30: Assigned CVE number: CVE-2024-34058
2024-05-06: Vendor agreed to the proposed responsible disclosure date (May 17)
2024-05-10: Shared a PoC requested by the vendor showing the vulnerability
2024-05-17: Disclosure