-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-006
Product: sam*
Vendor: secova
Affected Version(s): 5.8.2 and below
Tested Version(s): 5.7.11
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Fixed
Vendor Notification: 2016-01-08
Solution Date: 2016-04-18
Public Disclosure: 2016-05-24
CVE Reference: Not assigned
Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

It was discovered that the sam* application allows the usage of HTML
code inside email messages.

The sam* application is described as follows [2]:

"sam* is an electronic documentation system and is used primarily in the
areas of health and safety, occupational safety, occupational health,
environmental protection, quality waste management and HR.
(Keyword: EHS Software)
All essential operational requirements for companies are ideally
satisfied with sam*. sam* dovetails the most important main and sub-
disciplines (ISO, OHSAS, knowledge logistics and legal compliance) with
one another."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The sam* application contains a feature which allows to track accidents.
An accident log can be created inside the application, involved persons
can be informed via email.

Failing to properly sanitize user input, the application can be used to
send emails with arbitrary HTML content.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1) Create a new accident entry with the following description:
test <i>Italic</i><b>Bold</b><img src="https://www.syss.de/favicon.ico">

2) Send a notification to an arbitrary mail address via sam*.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Upgrade to version 5.8.3 or later

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-12-22: Vulnerability discovered
2016-01-08: Vulnerability reported to vendor

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] SySS GmbH, SYSS-2016-006
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-006.txt
[2] Vendor description of sam*
    https://www.secova.de/en/home/what-is-sam/
[3] SySS GmbH, SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:


Security vulnerability found by Franz G. Jahn of the SySS GmbH.

E-Mail: franz.jahn (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc
Key ID: 0xD06A14DE
Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of  this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXQzoFAAoJENWmFJbQahTez/oP/3vohqQkmCXgRxWA0VdDkEmP
2qeh4Go/acG2mNTMsackOYSf/rbVJxdS8CCTcd22lSpvBwSd5Ec5+67heXB9XitO
cK1ET4Jud7Ucano1SEauvwoN0YycCVObm4m3/5ursFeaEDO4O39EWSs1NT4BbvxH
6A2MbPUsL3ADUtwhLVY291kR+UHA8HVY0wNh3DhZpmNtZx91qowu5tZEgWMCHW4F
RubI0uStnS8g17yk8U0j0D2CJdkSPH/FfKFQlxuImZu3EmAV+00EzLEMSBRMTfsZ
nC2HEx6q/X3R9v9HdeGSHvcgn0r0UbPULmW0hUumZbpdFjrpAlcuXcKFZwiVE73L
cNWe28lt2y+VKdi1fVhyseRIBQXwzWOUUC1CtQtkqUVe67eNv968ebInhZRTbrqx
AI7MS597jfHzDWjzQ0lcvdK+tNhZ1Mcdp9y299NzZfYojoArAVgrqTUcVKKb/xns
6Fo3iDBfj5w2Gvz/AHaZXRYGm69uw6BTKZ/cg6remE64yR0hcoMNo2njnIbJEoA/
XitO6I6TboJD36NtyfMwRxVx+GXucCh30lAeBjyKfO6zOrIlemw4g73UFAVXsTYv
9xlX0a2tpwWIRt2Y9eSa4MF7EwnT6lt8wyQbU0lsYi96YDJgXUVTNoQcUdo9JKTh
DPJpAeYpWsg22afUb+hh
=sLpx
-----END PGP SIGNATURE-----