-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-082
Product:                   ReplyOne
Manufacturer:              Sematell GmbH
Affected Version(s):       7.4.3.0
Tested Version(s):         7.4.3.0
Vulnerability Type:        Incorrect Permission Assignment for Critical Resource (CWE-732)
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2024-09-23
Public Disclosure:         2025-04-29
CVE Reference:             CVE-2024-48905
Author of Advisory:        Andreas Grasser, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

ReplyOne is a customer response platform for categorizing and automatically 
replying to incoming e-mails. It consists of a web server, an application 
server and client software.

The manufacturer describes the product as a "sophisticated customer support
software [that] offers precise categorization and seamless integration into
your existing systems." (see [1]).

Due to incorrect permissions for an endpoint, it is vulnerable to session
hijacking.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

ReplyOne's REST API exposes an endpoint that returns all active sessions
on the application server. This endpoint can be accessed by any authenticated
user, regardless of their role. Since the session endpoint also returns
session tokens for logged-in administrators, this vulnerability can be
used to escalate user privileges.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The vulnerable endpoint can be accessed with any valid session at the
following two URLs:

  - <application server address>/rest/sessions
  - <web server address>/desk/AR/rest/sessions

The following two curl commands can be used to send the requests:

curl -b 'MM_SESSION=########-####-4###-####-############::ReplyDeskWeb' \
  'https://<application server hostname>:<application server port>/rest/sessions'
curl -b 'JSESSIONID=########################' \
  'https://<webserver hostname>:<webserver port>/desk/AR/rest/sessions'

It is now possible to authenticate against the application server's REST API
by sending the received session token as the "MM_SESSION" cookie.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-09-10: Vulnerability discovered
2024-09-23: Vulnerability reported to manufacturer
2024-09-30: Reported vulnerabilities again as the vendor did not respond to
			the first e-mail
2024-10-31: Asked the manufacturer for updates on the planned fixes as the
			vendor did not respond to the first e-mails
2024-11-04: Manufacturer disagreed with proposed release schedule
2024-11-05: Proposed alternative release schedule
2025-03-03: Asked the vendor for updates
2025-04-16: Proposed release schedule as vendor did not respond to the
			previous e-mail
2025-04-29: Public release of security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for ReplyOne
    https://www.sematell.com/en/product/features-3/
[2] SySS Security Advisory SYSS-2024-082
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-082.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Andreas Grasser of SySS
GmbH.

E-Mail: andreas.grasser@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Andreas_Grasser.asc
Key ID: 0xEBF139DB998B143B
Key Fingerprint: 2EDD 9E86 636E D24A ED7E  3A8A EBF1 39DB 998B 143B

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQJMBAEBCgA2FiEELt2ehmNu0krtfjqK6/E525mLFDsFAmgJ2+wYHGFuZHJlYXMu
Z3Jhc3NlckBzeXNzLmRlAAoJEOvxOduZixQ72rQP/j9BsbPDElLRmCCyaknsqT5S
zjiE9fv2vY08n6ZC36ALRmCoUjJSe28W50evG6eO8bynlU+E+3osraw6vveBL3gc
+B1CGz6+7m6qaysftaZ3JdSyyorhF3+LajxQG91/9RFyOmV0pZeaKz4bqzf0vJws
RbhcWjqGxBEE3wV9/n0yX7mxm6Dhzeri8THxw+TYlZxGA90BzznK+zHHE8AtkEi/
qAqMvoGpYew8ZLK3kR1d0cb6IVqVQNXcY+hUtLie/NTJxgL4qVb/mJbW2ail7sZm
07B/OLPxAIHC9Kn8oLM3FuMWbDz/ldLxMRbo7QpThu7hAynWMt9k7ctJF9dy0hM2
5nKBeQjGBf2k1oB/RC5cZR4eiYXHu+ejAL7JahggauyqWvRuCZc/udBcdtp6I/qb
aeZSn9amde8WfOhmpOrHiS1rlsQDdbZO86XwqwDIjTdG5x0YNmnePWasjMGCNTKp
5/2wmL0aDY5LVvywgGua6Ea/JsNNLY3ZlDSmmRmr0BQVnCJvCExH08rir5X/mHCG
urvQ52LTJIAed5d6TUsHxFZDCDFb9hBz6MEcflboAgaGDh1UDlbFaf0obkP2kNh2
57DvORlI2Mr1jejU+60Jee2n09kMb6y8U9JAzK/ZXCvLFlytyTdnGWVBAc8poAR3
T89NkrmxHVJ1jGyRqW+b
=7A5q
-----END PGP SIGNATURE-----