CHT Security Discovered a Pre-Auth Cross-Site Scripting in Well-known Japanese Email System

CHT Security Red Team discovered a Pre-Auth Cross-Site Scripting vulnerability (CVE-2020-11734) in a well-known Japanese email system. More than 10 organizations including government, education and financial sectors are affected. The vulnerabilities are briefly described as follows:


CVE-2020-11734 : An attacker can perform cross-site scripting attacks prior to authentication. This vulnerability exists in multiple versions of the email system. The vulnerable page is "/cgi-bin/go". This vulnerability is classified in A7-Cross-Site Scripting (XSS) of OWASP TOP 10 2017.


Impact

Email system is one of the core systems of an enterprise. Once hacked, emails which may contain personal data and organization information can be leaked. Enterprises often overlook the criticality of email system since they usually use packaged software or subscribe to services.


Known Affected Software

  • version 5 or later

If your organization or enterprise is using the affected e-mail system, it is recommended to contact the vendor for patching and updating as soon as possible. 


Recommendations

CHT Security also recommend the following measures:

1. Enterprise: Contact the vendor to install the patch update as soon as possible. 

2. Email system vendor: Add salt to hashing instead of storing passwords in plain text. Implement input validation in the applications. It is recommended to adopt Secure Software Development Life Cycle (SSDLC), provide secure coding training, and regularly conduct security tests, such as Source Code Security Analysis and Penetration Testing, to effectively ensure product security for the clients.