Ferozo Webmail version 1.1 is vulnerable to Cross-Site Scripting (XSS) through the file upload functionality. An attacker can exploit this vulnerability by uploading a specially crafted file containing malicious JavaScript code. When the file is processed or viewed within the application, the embedded script executes within the victim's session, potentially leading to:
- Session Hijacking
- Unauthorized Actions
- Theft of Sensitive Information
This vulnerability arises due to insufficient sanitization and validation of file metadata and content during the upload process, allowing malicious users to inject unauthorized scripts and compromise the security of the webmail platform.
- Low
- Low (An authenticated user is required to upload a file.)
- Required (A user or administrator must interact with or open the uploaded file.)
- File Upload Feature: The vulnerability lies in the file upload functionality, where improper sanitization and validation lead to the execution of malicious JavaScript code in the browser of any user interacting with the uploaded file.
- Unauthorized Script Execution: The XSS vulnerability allows the execution of malicious JavaScript code within the user's session.
- Session Hijacking & Credential Theft: Attackers can hijack user sessions, steal sensitive information, or perform unauthorized actions under the victim’s session.
- Input Validation & Sanitization: Properly validate and sanitize all file metadata and content during the upload process.
- Restrict File Types: Limit the types of files that can be uploaded to prevent the execution of embedded scripts.
- Security Measures: Implement additional security controls to ensure that uploaded files are properly handled and do not execute unauthorized scripts.
CVE-2024-33231
Reported by [Facundo Fernandez / Security Researcher]