Mesalvo Meona Client and Server Components Email Spoofing Vulnerability

A vulnerability allowing email spoofing has been identified in the Mesalvo Meona Client Launcher and Server Components. The issue arises from insufficient verification of data authenticity, enabling messages to be sent to any email address. This vulnerability affects the Meona Client Launcher through versions prior to 19.06.2020 15:11:49, and the Meona Server Component through version 2025.04 5+323020.

Impact

Exploitation of this vulnerability allows for email spoofing, where messages can be sent from a legitimate internal email address to any recipient, potentially facilitating social engineering attacks.

Reproduction

The vulnerability can be reproduced by manipulating the hardcoded email address in the feedback report functionality of the Meona Client Launcher. This can be done by analyzing and intercepting the application's traffic, which uses serialized Hessian objects for communication. Once the protocol is understood, the recipient email address can be swapped out for an arbitrary one, along with the message content. The server component does not verify the recipient address, allowing the spoofed email to be sent from an internal address.