Stored DOM XSS in Email Body of SmarterMail (CVE-2023-48115)

Summary

A Stored DOM XSS vulnerability exists in the email message component of the SmarterMail product version 16.x 8495 through 8664. An attacker can exploit this by inserting malicious HTML or JavaScript code into the message body. Upon the victim opening the message, the embedded malicious script will execute.

In order to mitigate this vulnerability Install the latest application patch (Build 8747).

Impact

It is possible to take over a victim's account when they open their inbox.

Technical Details

While auditing the client-side code, I noticed an effective JavaScript sanitization function in place. However, upon closer inspection, I identified a logic flaw within the sanitization process. This flaw, if combined with a backend weakness, could potentially lead to an XSS exploit.

The flawed code is as follows:

vulnerable JS code

The code checks whether the 'messageHTML' parameter in the HTTP response is either empty or equals '<br>'. If this condition is met, it sets the value of 'messagePlainText' as innerHTML. Typically, when composing a new email and including HTML code, the server sanitizes the HTML and places it into 'messagePlainText'. However, I considered the scenario of setting both 'messageHTML' and 'messagePlainText' in the same request.

The backend code exhibits a vulnerability where if the received request contains the 'messagePlainText' parameter, the server omits the sanitation process for the 'messageHTML' value and updates the 'PlainText' value without proper sanitization."

I inserted HTML code into the 'messagePlainText' parameter and assigned the value of 'messageHTML' as '<br>', then proceeded to send the request."

modified request

After the victim opens their inbox and views your email, the malicious code will execute, as demonstrated below:

Alerted Token

Vendor Communication

07/11/2023: Issues were reported to the vendor
29/11/2023: A BETA version was released 
05/12/2023: I tested the BETA version and confirmed issues were fixed
13/12/2023: A patch (Build 8747) was released
18/12/2023: Public disclosure