CVE-2024-28064: Critical Flaw Discovered in Totemomail Email Encryption Software
Cybersecurity researchers have uncovered two serious vulnerabilities in Totemomail, a widely used email encryption software now part of Accellion’s Kiteworks platform. These flaws, identified as CVE-2024-28063 and CVE-2024-28064, could allow attackers to access sensitive information, delete files, and potentially launch denial-of-service attacks.
CVE-2024-28063: Reflected Cross-Site Scripting (XSS)
This vulnerability, rated with a CVSS score of 6.1, targets Totemomail’s “Registered Envelope” feature, which allows users to send encrypted emails as HTML attachments. An attacker could exploit this flaw by sending a malicious link that, when clicked, would execute harmful JavaScript code within the recipient’s browser.
When users open an HTML attachment in a browser without JavaScript enabled, the <noscript>
part of the HTML page is executed, leading to a GET request that is vulnerable to XSS. The GET request includes the envelopeRecipient parameter, which is not sanitized, allowing an attacker to inject malicious scripts. This could lead to the theft of sensitive information, such as login credentials or session cookies.
CVE-2024-28064: Unauthenticated Arbitrary File Access
Considered even more critical with a CVSS score of 9.8, this path traversal vulnerability could grant an attacker unauthorized access to files on the Totemomail server. This includes not only configuration files and system data but potentially even encrypted emails and decryption keys. The path traversal vulnerability allows attackers to access sensitive files on the server by manipulating the messageId parameter. An attacker could leverage this flaw to exfiltrate sensitive information, delete critical files, or disrupt the service altogether.
Discovery and Disclosure
These vulnerabilities were discovered by security researchers at Objectif Sécurité SA. They responsibly disclosed their findings to Kiteworks, who promptly developed and released patches to fix the flaws.
Impacted Versions and Remediation
Totemomail versions 7.0.0 to 8.2.1 are confirmed to be vulnerable. Kiteworks has released Totemomail version 8.3.0 to address these issues. Users are strongly urged to update their software immediately to mitigate the risk of exploitation.