Brandon Da Costa and Mahdi Afshar have found that sao executes JavaScript included in HTML documents (such as attachments). These documents may be uploaded by any authenticated user. The JavaScript is executed in the same context as sao which gives access to sensitive data such as the session.
Impact
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Confidentiality: High
- Integrity: High
- Availability: None
If the inbound_email and document_incoming modules are activated, the impact increases as anybody can send emails with attachments: CVSS v3.0 Base Score: 8.1
Workaround
There is no general workaround.
For inbound email blocking emails with HTML attachments will block this attack vector.
Resolution
All affected users should upgrade sao to the latest version.
Affected versions per series:
sao:- 7.6: <= 7.6.8
- 7.4: <= 7.4.18
- 7.0: <= 7.0.37
- 6.0: <= 6.0.66
Non affected versions per series:
sao:- 7.6: >= 7.6.9
- 7.4: >= 7.4.19
- 7.0: >= 7.0.38
- 6.0: >= 6.0.67
Reference
Concerns?
Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked.