Vade Secure Gateway Multiple XSS (CVE-2023-29712, CVE-2023-29713, CVE-2023-29714)
Reading Time: 4 minutes
Vade Secure Gateway
During a penetration test activity, several reflected cross-site scripting (XSS) vulnerabilities were found on an application developed by the French Company Vade Secure. The vulnerable application is Vade Secure Gateway which is an email box scanning and processing tool for spam removal that can be managed via a web page.
Once we identified the vulnerabilities and found that they had not been previously disclosed by someone else before, we made several attemps to establish contact with the Company to report the issue both via email and chat, but no contact could be established.
Software Popularity
Since we had no previous knowledge about this software, we wanted to verify its spread on the Internet.
We used fav-up to calculate the hash of the favicon, and we combined the result with Shodan, which allows to search for specific favicon hashes with the query
http.favicon.hash:{HashFavicon}
The following picture highlights the number of detected products instances grouped by country.
Version identification
Even though there is no precise reference on the vendor site, it was possible to deduce the version via the release document found on the Vade Secure support page.
Given the changes made in version 3.0, we can infer that this is the target’s version.
**Since it was not possible to establish contact with the Company to identify a solution to these problems, we decided to hide the parameters and payloads in this article. However, we are always available in case Vade Secure wants to set up a collaboration with us, giving the opportunity to integrate the present article with information on future patches that solve the problems reported.**
Technical Recap
Three vulnerabilities were identified in this application, broken down as follows:
- one Reflected XSS vulnerability (CVE-2023-29713) [High]
- two DOM-based XSS vulnerabilities (CVE-2023-29712, CVE-2023-29714) [Medium]
These types of attacks allow an unauthorized user to inject Javascript or HTML code within the victim’s browser to steal information or induce to perform certain operations through social engineering techniques.
Advisory – CVE-2023-29712
| DOM-based XSS in Vade Secure Gateway | Medium | ||
| Description | |||
| Cross Site Scripting vulnerability found in Vade Secure Gateway <= 3.0 allows a remote attacker to execute arbitrary code via a crafted payload to the **** parameter. | |||
| Remediations | |||
| See the section “recommendations” | |||
| Category | OWASP Top 10: A3 – Injection | ||
| CVSS v3.1 | Base Score: 6.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
||
| Affected product | Vade Secure Gateway <= v3.0 | ||
| Account | Unauthenticated | ||
| Vulnerable resources | |||
| REDACTED | |||
| Proof of Concept | |||
| See the picture below
|
|||
Advisory – CVE-2023-29713
| Reflected XSS in Vade Secure Gateway | High | ||
| Description | |||
| Cross Site Scripting vulnerability found in Vade Secure Gateway <= 3.0 allows a remote attacker to execute arbitrary code via a crafted payload to the GET request after the **** directory. | |||
| Remediations | |||
| See the section “recommendations” | |||
| Category | OWASP Top 10: A3 – Injection | ||
| CVSS v3.1 | Base Score: 8.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L |
||
| Affected product | Vade Secure Gateway <= v3.0 | ||
| Account | Unauthenticated | ||
| Vulnerable resources | |||
| REDACTED | |||
| Proof of Concept | |||
| See the picture below
|
|||
Advisory – CVE-2023-29714
| DOM-based XSS in Vade Secure Gateway | Medium | ||
| Description | |||
| Cross Site Scripting vulnerability found in Vade Secure Gateway <= 3.0 allows a remote attacker to execute arbitrary code via the ****, ****, and **** cookies parameter. | |||
| Remediations | |||
| See the section “recommendations” | |||
| Category | OWASP Top 10: A3 – Injection | ||
| CVSS v3.1 | Base Score: 6.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
||
| Affected product | Vade Secure Gateway <= v3.0 | ||
| Account | Unauthenticated | ||
| Vulnerable resources | |||
| REDACTED | |||
| Proof of Concept | |||
| See the picture below
|
|||
Recommendiations
Since there is no known update to fix the following vulnerabilities, we recommend adopting a WAF and tuning it in order to mitigate the attacks listed above. Also, if a direct contact with the supplier is available, please advise them of these issues.
Disclosure Timeline
- 14/03/2022 → Identification of the vulnerabilities
- 27/07/2022 → First email contact with Vade Secure (no reply)
- 05/08/2022 → Second email contact with Vade Secure (no reply)
- 03/02/2023 → Contacted via site chat and sent Vulnerability Disclosure Policy (we received a reply and they said they had turned the issue over to the relevant department)
- 06/03/2023 → Sent emails with XSS vulnerability testimonials and Vulnerability Disclosure Policy (no reply)
- 08/03/2023 → Requested CVEs
- 08/03/2023 → Sent email to Vede Secure to inform that we have applied for CVEs assignment (no reply)
- 16/03/2023 → Sent email with proof of concept of the vulnerabilities to Vade Secure (no reply)
- 09/05/2023 → Assignment of CVEs by MITRE
- 23/05/2023 → Sent an email to request cooperation again to resolve the issues and to inform that the proof of concept will not be published (no reply)
Resources & References
- Vade | AI-Powered, Collaborative Email Security
- Vade Secure Gateway
- Vade Secure Gateway Release Notes
- CVE-2023-29712
- CVE-2023-29713
- CVE-2023-29714
Author
Nico Trionfetti is a member of the Yarix’s Red Team, graduated from UNICAM with a degree in IT. He is passionate on Penetration testing with a focus on the web and outside of the cybersecurity he is passionate on films and tv series and outdoor activities.
