Zertificon Z1 SecureMail Cross-Site Scripting Vulnerability Allowing Arbitrary Code Execution
Vulnerability
A cross-site scripting vulnerability has been identified in Zertificon Z1 SecureMail Z1 CertServer version 3.16.4-2516-debian12. This vulnerability allows remote attackers to execute arbitrary code by embedding payloads in specific 'dn' parameters (ST, L, O, OU, CN) of a self-signed X.509 certificate. The malicious certificate can then be used to exploit the vulnerability.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the server where Z1 SecureMail is running.
Reproduction
To reproduce this vulnerability, create a self-signed X.509 certificate that includes payloads in the 'dn' parameters ST, L, O, OU, and CN. The certificate request configuration file (req.conf) should be used to embed the payloads. To break out of the parameter fields, insert a div tag closure in the ST parameter before the payload. Once the certificate is created, it can be used to exploit the vulnerability on the server.
Remediation
The vulnerability has been fixed in Z1 CertServer version 3.16.8.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.