CVE-2022-37244: IFRAME Injection at ‘currentRequest’ Parameter

CVE-2022-37244: IFRAME Injection at ‘currentRequest’ Parameter

Description 

On June 05, the security team of Green Tick Nepal Pvt. Ltd. located in Kathmandu, Nepal discovered that MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to IFRAME Injection via the currentRequest parameter, after login leads to inject malicious tag leads to IFRAME injection.

 

Proof of Concept 

The Security Team of Green Tick Nepal Pvt. Ltd. published a Proof of Concept (POC) for MDaemon Technologies. The vulnerability was found in MDaemon SecurityGateway for Email Servers 8.5.2. It consists of one or more iFrame tags that have been inserted into a page or post’s content and typically downloads an executable program or conducts other actions that compromise the site visitors’ computers. It can allow an attacker to modify the page. To steal another person's identity.

 

Solution 

  • Sanitize all the user-supplied inputs before executing them. Your application code should never blindly output the result of input data received without validation.
  • URL encoding must be done before inserting untrusted data into HTML URL parameter values.
  • JavaScript encoding must be done before inserting untrusted data into JavaScript data values.
  • Encode CSS scripts and strict validation before inserting untrusted data into HTML style property values must be done.
CVE-ID  Description  Products 
CVE-2022-37244 MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to IFRAME Injection via the currentRequest parameter after login leads to inject malicious tag leads to IFRAME injection. MDaemon Technologies SecurityGateway for Email Servers 8.5.2

 

History

2022-06-05: Vulnerability found.

2022-06-06: Vendor contacted.

2022-07-06: Vendor acknowledged and asked for one month time for public disclosure.

2022-07-26: Vendor released Security Notes.

2022-07-27: Requested for CVE.

2022-08-26: CVE Published.

 

References 

https://gtn.com.np/storage/2022/07/IFRAME-Injection-at-currentRequest-Parameter.pdf

https://nvd.nist.gov/vuln/detail/CVE-2022-37244

https://files.mdaemon.com/securitygateway/release/relnotes_en.htm

RECENT POSTS

 

SERVICES