========================================================================= Subject: Reflected Cross-Site Scripting (XSS) in envelope recipient Product: Totemomail Vendor: Kiteworks CVE ID: CVE-2024-28063 CVSS v3.1: 6.1 [AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N] Authors: Delphine Peter , Philippe Oechslin Date: 06.05.2024 ========================================================================= Summary ------- A reflected Cross-Site Scripting (XSS) vulnerability was discovered in Totemomail 7.0.0. Details ------- Totemomail offers a webmail interface for reading and writing e-mails. Users can choose between two channels for secure messages: Webmail, which allows to read secure messages in Totemo webmail application, and Registered Envelope, which consists in sending encrypted secure messages to the recipient's mailbox as HTML attachments. When opening the HTML attachment of a Registered Envelope, the user must authenticate in order to retrieve the cryptographic material used to decrypt the secure message contained in the HTML file. If such an HTML attachment is opened in a browser that does not have JavaScript enabled, the