-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-081
Product:                   ReplyOne
Manufacturer:              Sematell GmbH
Affected Version(s):       7.4.3.0
Tested Version(s):         7.4.3.0
Vulnerability Type:        Cross-Site Scripting (CWE-79)
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2024-09-23
Public Disclosure:         2025-04-29
CVE Reference:             CVE-2024-48906
Author of Advisory:        Andreas Grasser, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

ReplyOne is a customer response platform for categorizing and automatically
replying to incoming e-mails. It consists of a web server, an application
server and client software.

The manufacturer describes the product as a "sophisticated customer support
software [that] offers precise categorization and seamless integration into
your existing systems." (see [1]).

Due to a lack of input sanitization, the web application is vulnerable to
persistent cross-site scripting attacks, which can be carried out by an
external attacker by sending an e-mail with a specially named attachment
to the e-mail gateway.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The web application can display incoming and outgoing e-mails and their
attachments. The cross-site scripting payload can be embedded in the web
application by sending an e-mail with a maliciously named attachment to the
e-mail gateway. When a user of the web application hovers over the attachment 
name in the web application, the payload is triggered.

This allows an external attacker to gain access to the internal resources of
the ReplyDesk application, such as other e-mails. It was possible to read and
exfiltrate other e-mails without the need to bypass other protection measures.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

An attachment with the following filename and an arbitrary content was
used:

  <img src=0 onerror=alert(document.domain)>.txt

This attachment was sent to the e-mail gateway from an external e-mail address.
The inbound e-mail was then viewed in the ReplyOne web application. When the
cursor was placed over the attachment, the payload was triggered and an alert
box was displayed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-09-12: Vulnerability discovered
2024-09-23: Vulnerability reported to manufacturer
2024-09-30: Reported vulnerabilities again as the vendor did not respond to
			the first e-mail
2024-10-31: Asked the manufacturer for updates on the planned fixes as the
			vendor did not respond to the first e-mails
2024-11-04: Manufacturer disagreed with proposed release schedule
2024-11-05: Proposed alternative release schedule
2025-03-03: Asked the vendor for updates
2025-04-16: Proposed release schedule as vendor did not respond to the
			previous e-mail
2025-04-29: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for ReplyOne
    https://www.sematell.com/en/product/features-3/
[2] SySS Security Advisory SYSS-2024-081
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-081.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Andreas Grasser of SySS
GmbH.

E-Mail: andreas.grasser@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Andreas_Grasser.asc
Key ID: 0xEBF139DB998B143B
Key Fingerprint: 2EDD 9E86 636E D24A ED7E  3A8A EBF1 39DB 998B 143B

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQJMBAEBCgA2FiEELt2ehmNu0krtfjqK6/E525mLFDsFAmgJ2zUYHGFuZHJlYXMu
Z3Jhc3NlckBzeXNzLmRlAAoJEOvxOduZixQ7lUkP/0SguzNvTiBhd04GhRiW5Bbr
NmT5IhiNXYzAYZe7MoZcARb1MMtLKlbxQa6BP3r0vlbUm9yKd+pB5z0br40QgJpD
J5UZ2uIg/taPgCWeteNLGusdJccTW0zOuvwqYFL5RrpXpgyGFTQ7E2Q7eEDeC5xk
D6Ex4t5K8+6lligu2Cv0ZHbSS9ykSvnrmQetFCE9iGiFm7ZM6VAv+zjWjiypDh7c
yQQyDafgDqML0iwv8o0A7JP5tBDBWa4PI5QFJZSwfjrcCj3QSOtsc60FykSbkZ62
OB60Y5yXZ6ezsTija0W0s3TCt1PQpf/modwVbzQMZlKT6vzK1Jn74Rat7nmkCNWe
Cr/jg+3YFGRa4gxt9mhc4v0On5+lMFJGfXXDP+5q/5/ejbixUsrmeAFi5sE5f10l
qMmRubxwp5IbDs7xlM9bxqNKWtqRaY0RoCn+acLyV+YezadG4mfBTuLcvT3h5h9N
LiH1Hl2x6UdB01y8Hl7HE2mC957lw3Kn+WtXRjagE5HJMmbaeDc8AcK302zYDwv2
5Cwo6kM0bmkd4GTfObh4vmNq5/OkJye0CCUskwHXA7+HJfunKQbuSvTj9K0iZc64
Au5v7w+zY+irjTdfmGL6VgKMkZIkuwzTt9Xv5bQBVzPfGW1I51n90Qf+FwXbMzic
BXpJ8F2XezYzwaYw4UDa
=Ydqt
-----END PGP SIGNATURE-----