Sematell ReplyOne Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Sematell ReplyOne version 7.4.3.0. The issue arises from inadequate input sanitization, allowing external attackers to embed malicious scripts in attachment names of emails sent to the ReplyOne email gateway. When these emails are accessed through the ReplyOne web application, the embedded scripts are executed, potentially leading to unauthorized access to internal ReplyDesk application resources, such as other emails.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where an attacker can execute scripts in the context of the user viewing the email, potentially leading to unauthorized access and exfiltration of other emails within the ReplyDesk application.

Reproduction

To reproduce this vulnerability, send an email to the ReplyOne email gateway with an attachment that has a maliciously crafted filename designed to execute a script, such as an image tag with an 'onerror' event. Once the email is received, open it in the ReplyOne web application. Hover over the attachment name to trigger the XSS payload, which will execute the embedded script, such as displaying an alert with the document's domain.

Remediation

Users are advised to update to the latest version of Sematell ReplyOne where this vulnerability has been fixed.