CVE-2022-37241: HTTP Response splitting through ‘format’ parameter
Description
On June 05, the security team of Green Tick Nepal Pvt. Ltd. located in Kathmandu, Nepal discovered that MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to Cross Site Scripting (XSS) via the data_leak_list_ajax endpoint. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. The CWE definition for vulnerability is CWE-79.
Proof of Concept
The Security Team of Green Tick Nepal Pvt. Ltd. published a Proof of Concept (POC) for MDaemon Technologies. The vulnerability was found in MDaemon SecurityGateway for Email Servers 8.5.2. The HTTP response appears to contain the output from the injected payload, indicating that the payload was executed successfully on the server. XSS attacks can expose the user's session cookie, allowing the attacker to hijack the user's session and gain access to the user's account, which could lead to impersonation of users.
Solution
- Sanitize all the user-supplied inputs before executing them. Your application code should never blindly output the result of input data received without validation.
- URL encoding must be done before inserting untrusted data into HTML URL parameter values.
- JavaScript encoding must be done before inserting untrusted data into JavaScript data values.
- Encode CSS scripts and strict validation before inserting untrusted data into HTML style property values must be done.
CVE-ID | Description | Products |
CVE-2022-37241 | MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to Cross Site Scripting (XSS) via the data_leak_list_ajax endpoint. | MDaemon Technologies SecurityGateway for Email Servers 8.5.2 |
History
2022-06-05: Vulnerability found.
2022-06-06: Vendor contacted.
2022-07-06: Vendor acknowledged and asked for one month time for public disclosure.
2022-07-26: Vendor released Security Notes.
2022-07-27: Requested for CVE.
2022-08-26: CVE Published.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-37241
https://files.mdaemon.com/securitygateway/release/relnotes_en.htm