cve38

CVE-2022-37238: Authenticated Reflected Cross Site Scripting (XSS) at ‘currentRequest’ Parameter

Description 

On June 05, the security team of Green Tick Nepal Pvt. Ltd. located in Kathmandu, Nepal discovered that MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to Cross Site Scripting (XSS) via the currentRequest parameter.

 

Proof of Concept 

The Security Team of Green Tick Nepal Pvt. Ltd. published a Proof of Concept (POC) for MDaemon Technologies. The vulnerability was found in MDaemon Security Gateway for Email Servers 8.5.2. The HTTP response appears to contain the output from the injected payload, indicating that the payload was executed successfully on the server. XSS attacks can expose the user's session cookie, allowing the attacker to hijack the user's session and gain access to the user's account, which could lead to the impersonation of users.

 

Solution 

  • Sanitize all the user-supplied inputs before executing them. Your application code should never blindly output the result of input data received without validation.
  • URL encoding must be done before inserting untrusted data into HTML URL parameter values.
  • JavaScript encoding must be done before inserting untrusted data into JavaScript data values.
  • Encode CSS scripts and strict validation before inserting untrusted data into HTML style property values must be done.
CVE-ID  Description  Products 
CVE-2022-37238 MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to Cross Site Scripting (XSS) via the currentRequest parameter. MDaemon Technologies SecurityGateway for Email Servers 8.5.2  

 

History

2022-06-05: Vulnerability found.

2022-06-06: Vendor contacted.

2022-07-06: Vendor acknowledged and asked for one month time for public disclosure.

2022-07-26: Vendor released Security Notes.

2022-07-27: Requested for CVE.

2022-08-26: CVE Published.

 

References 

https://gtn.com.np/storage/2022/07/Authenticated-Reflected-Cross-Site-Scripting-XSS-at-currentRequest-Parameter.pdf

https://nvd.nist.gov/vuln/detail/CVE-2022-37238https://files.mdaemon.com/securitygateway/release/relnotes_en.htm

https://www.tenable.com/cve/CVE-2022-37238

RECENT POSTS

 

SERVICES