IceWarp Server 10.2.1 Reflected XSS Vulnerability (CVE-2024-55218)

What is IceWarp Server?

IceWarp Server is an all-in-one communication platform that provides email, chat, and collaborative tools for businesses. It is widely used due to its flexibility, scalability, and ease of integration into corporate environments.

However, during our security research, we discovered a Reflected Cross-Site Scripting (XSS) vulnerability in version 10.2.1 of IceWarp Server, specifically affecting the meta parameter. This vulnerability has been assigned the identifier CVE-2024-55218.

What is Cross-Site Scripting (XSS) Vulnerability?

Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts into web applications. When a victim interacts with the compromised application, the malicious code executes in their browser, leading to potential data theft, session hijacking, or defacement of the web page.

Types of XSS Vulnerabilities:
• Stored XSS: Malicious code is permanently stored on the server.
• Reflected XSS: Malicious code is part of the URL and immediately executed.
• DOM-Based XSS: The vulnerability exists in the client-side script itself.

How Did We Detect the IceWarp Server 10.2.1 Reflected XSS Vulnerability (CVE-2024-55218)?

As the Security For Everyone team, we routinely analyze popular web applications for vulnerabilities. During our analysis of IceWarp Server, we followed these steps:
1. Target Identification: We set up IceWarp Server version 10.2.1 in a controlled environment.
2. Manual Testing: While analyzing the application’s parameters, we identified the meta parameter as a potential entry point for user input.
3. Payload Injection: We crafted an XSS payload and injected it into the meta parameter using the following query:

?meta=%27%3E%22%3Csvg%2Fonload=confirm%28%27xss-meta%27%29%3E

4. Execution Confirmation: Upon visiting the crafted URL, the payload successfully triggered a JavaScript alert in the browser, confirming the vulnerability.

This vulnerability (CVE-2024-55218) could allow an attacker to trick users into visiting a maliciously crafted URL, leading to session hijacking, cookie theft, or further attacks.

Proof of Concept (PoC)

Vulnerable Parameter: meta
Payload Example:

When a victim visits the above URL, a JavaScript confirm dialog appears, demonstrating the vulnerability.

How to Prevent Cross-Site Scripting (XSS) Vulnerabilities?

To protect against XSS vulnerabilities, developers and administrators should consider the following best practices:
Input Validation: Validate and sanitize all user input.
Output Encoding: Escape special characters before rendering them in the browser.
Content Security Policy (CSP): Implement a strong CSP header to limit script execution.
HttpOnly & Secure Cookies: Prevent cookies from being accessed by JavaScript.
Regular Updates: Keep all systems and software up-to-date.
Web Application Firewall (WAF): Deploy a WAF to filter malicious requests.

Conclusion

The Reflected XSS vulnerability (CVE-2024-55218) in IceWarp Server 10.2.1 poses a significant security risk. Administrators are strongly encouraged to apply updates, review configurations, and implement the above security practices to mitigate such risks.

For further information and updates, follow our official channels.

Sources:
https://www.icewarp.com/
https://cheatsheetseries.owasp.org

Stay safe, stay secure!