Telos Automated Message Handling System information disclosure in itemlookup.asp

Vulnerability

CVE-2019-9541 is a reflected cross-site scripting (XSS) vulnerability in the itemlookup.asp endpoint of the Telos Automated Message Handling System (AMHS), a web-based messaging system used by the DoD and Intelligence Community. The vulnerability exists in AMHS versions prior to 4.1.5.5 [1]. An attacker can craft a malicious URI that, when visited by an authenticated AMHS user, executes arbitrary JavaScript in the context of the user's session.

Exploitation

Exploitation requires no authentication from the attacker but does require a target user to click on a crafted link. The attacker sends a specially-crafted AMHS URI to an authenticated user (e.g., via email or other messaging). When the user accesses that URI within the AMHS web interface, the injected script executes in the user's browser session [1]. No special network position is required beyond the ability to deliver the link.

Impact

A successful attack can lead to information disclosure of other AMHS users' data, as the injected script can access the victim's session cookies and make requests on their behalf [1]. The attacker may also be able to perform actions with the victim's privileges. The CIA impact is partial confidentiality and integrity loss, with no direct impact on availability. The CVSS base score is 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) [1].

Mitigation

The vulnerability is addressed in AMHS version 4.1.5.5 [1]. Users should contact Telos to obtain the update. No workaround is provided in the available references. The vulnerability is not currently listed on the CISA KEV.