Skip to content

Vulnerability Report (02) Mail Server Misconfiguration Leads To Hijack Your Mail Server Due To BAD DMARC Implementation/Cross-Site Scripting Attacks/ Malicious Payloads Injection/Victim PC Hijack

Low
scopsy published GHSA-5vff-ww4r-q4j5 Feb 7, 2024

Package

No package listed

Affected versions

< 0.0.1

Patched versions

0.0.1

Description

Hi Team,

We have found your website vulnerable to this vulnerability.

Vulnerability Type: Mail Server Misconfiguration Leads To Hijack Your Mail Server Due To BAD DMARC Implementation/Cross-Site Scripting Attacks/ Malicious Payloads Injection/Victim PC Hijack

Severity: Critical

Description:

DMARC Quarantine/Reject policy is not enabled on novu.co so due to this attackers will be able to send an email using your domain novu.co to your users.

Due to this vulnerability, Attackers will be able to use any email of your application and send email to any one of your users,

Proof of concept is attached.

Impact:

Attackers will be able to send an email using your email
[email protected]
and other official emails of your company/staff members which will result in your business and reputation loss by sending unwanted emails to your users/clients as a result of exploiting this vulnerability.
Attackers will be able to take over any user account by sending your user's malicious links using your company/official emails which will result in a complete account takeover of any user as they will follow any instructions given by your official company emails. And more they will be able to do anything with your users by communicating with them by using your company/emails.
Attackers will be able to execute malicious scripts on the victim's PC by sending them malicious URLs and payloads directly via email as the clients will see that these are from authenticated sources of your company email which will result in malicious payloads/URLs being injected into your users PC.

Attackers will also be able to attach malicious files using your email and once the files get downloaded to the victim PC resulting in a victim PC hijack.

  • Cross-Site Scripting Attacks
  • Account Takeover
  • Transactions Performed
  • Money Scam
  • Actions Performed by Attackers
  • Malicious Code Execution
  • Victim PC Hijack
  • Malicious Files Get Downloaded To The Victim PC

Attack Scenario:

An assailant would send an email saying "with any unwanted information" (or any malicious files attached with the email and instruct them to download it) using your company emails like
[email protected]
and any email which is found to be linked with your domain. Clicking on the connection takes him to a site where certain JavaScript is executed which takes his novu.co information. The outcomes will be more perilous. POC is likewise joined. You can likewise observe that I can utilize your space name email and will be able to send the mail to any of the clients of novu.co

This is just an example of what attackers will be able to do using your company emails. This issue has a larger impact as attackers will be able to spoof your users by sending unwanted emails and users will do the actions accordingly provided by the attackers. Attackers will be able to spam your whole application and your users. They will be able to take whatever they want from your novu.co users. Their credentials, their credit cards, and much more.

Attackers will also be able to perform transactions with your clients/users by communicating with them using your official company emails as we have shown in the proof of concept.

Mitigation:

You should review the policies to be applied for the DMARC mail server configuration. As I see your DMARC is misconfigured. Just Add DMARC Quarantine/Reject policy in your DMARC configuration and so attackers will not be able to exploit this vulnerability on your application.

Thank you

Sincerely,
John Lee

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE ID

No known CVE

Weaknesses

No CWEs

Credits