CVE-2024-51122

A cross-site scripting (XSS) vulnerability has been identified in Zertificon's Z1 SecureMail Z1 CertServer version 3.16.4-2516-debian12. The flaw resides in the handling of the certificate subject parameters ST, L, O, OU, and CN. Improper sanitization of user-supplied input allows an attacker to inject malicious scripts into the web interface.

To exploit this vulnerability, an attacker must be able to supply crafted values for any of the affected parameters when generating or modifying certificates. The attack can be conducted remotely without authentication, as the parameters are processed by the web server. Successful exploitation requires the victim to interact with the malicious link or content, such as clicking a crafted URL or viewing a manipulated certificate page.

If exploited, an attacker can execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the affected web pages. The CVSS v3 base score of 6.1 (Medium) reflects the need for user interaction but also the potential for significant impact on confidentiality and integrity.

As of the publication date (2025-02-12), no patch has been announced. Administrators are advised to restrict access to the certificate management interface and apply input validation as a workaround. The vulnerability is documented in public advisories [1].