-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-021 Product: EMA Mail Manufacturer: ARTEC IT Solutions GmbH Affected Version(s): 6.92 Tested Version(s): 6.92 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2025-03-07 Solution Date: 2025-03-12 Public Disclosure: 2025-05-07 CVE Reference: CVE-2025-46611 Author of Advisory: Lorin Samija, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: EMA Mail is a software to archive e-mails. The manufacturer describes the product as follows (see [1]): "In today's digital age, managing and archiving email is more than a luxury; it's a must-have. No matter your company's size or industry, EMA Mail delivers a dependable and efficient solution! EMA Mail ensures top-notch security for your email and streamlines your business processes with unmatched efficiency." Due to missing user input sanitisation, EMA Mail is vulnerable to reflected cross-site scripting. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: By analyzing the EMA Mail web interface, it was found that there are two functions which are prone to reflected cross-site scripting. This was due to missing user input sanitization. In this attack, an attacker tampers with the parameter identifying a selected document in a POST request and injects JavaScript code here. The resulting server response reflects the injected JavaScript code, which is then executed in the browser. The injected JavaScript code, however, is not permanently stored on the server. The functions to forward as well as to recover selected e-mails are affected. Both are available via the "/mailaction" endpoint. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): In both functions, the parameter signalling a specific document to be selected was affected. The parameter is usually of the form "doc_" with the value "on". An example would be "doc1234_Sy66Advisor1=on". The payload "');alert("RXSS")//" (without the double quotes) was inserted into the parameter, resulting in the following parameter: "doc1234_Sy66Advisor1'); alert("RXSS")//=on" (again without the double quotes). The inserted JavaScript code was included as part of the server response and then executed in the browser. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The vulnerability was fixed in version 6.94. User input is no longer reflected back by the server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-03-07: Vulnerability reported to manufacturer 2025-03-12: Fix tested and confirmed 2025-05-07: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for EMA Mail https://www.artec-it.com/en-us/ema.html#ema_mail [2] SySS Security Advisory SYSS-2025-021 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-021.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Lorin Samija of SySS GmbH. E-Mail: lorin.samija@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Lorin_Samija.asc Key Fingerprint: 94DB F20A E995 035A 00C9 6BFA 8823 AB98 7815 6A92 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEElNvyCumVA1oAyWv6iCOrmHgVapIFAmgY2v0ACgkQiCOrmHgV apLwHg/+KI1ZcJjYh070Amevx1J5w0jPExG9C18GlE5fP+OmrQ7oJEUwjM1QwIfb WYIsbCFTe/ruFJbfk/i/mQMzQD+zs0Z8bGYLCGbo0Tnx42RCa2p3HAgO/8g91u0M 2OFAO/DcfhWKYMUbPOP4JXw2j2issBvvhanL3qfN51NyzBo57p4VZUMJI462z2M7 KsJMlZOQl+1OB9wpwAEPnizcG9/oLuRLQe17UZb/T7ExIIOx83Etsy+mtN5BTP/Q /hZVBMIhGWzSECL86oC7XHP0K6Bfu9T9mPsZAIghnVdWdoxhyzo56llmAf2GyBhg clBI5/smI7auner2n5dxsce7xQf/7KUY4sR4NnQI1ME+xOKicdiJXiT3WKyyWf6+ N75PdmRMKjDnmergwRP0/cPO1BHQcE64VME9XQrqLTEC38LaxlLjLqpCEre75toV qygqsb2dHPGlBoXgeHYk+vC910LdTFsQOYcPBDLKOiL9lIzQfgIOyk+ajjs/OQ+u 1r++d8KwxaUj1PqkfRpWoHuIm7md/dAUTD4w6+2IDt3u12Y5ZiO4d7d4wKtwu/aI qxwRSwqXB0UvmCRcqr4yYBLr13sZWk0+F2mwav3Q6jd4WgLRtzyGolsO3ecBttw/ dFsFjjceBTKtpqqn+RtapSvmdylOElStzjRBCnT5dU+0NqMZCQY= =rYu8 -----END PGP SIGNATURE-----