CVE-2022-45169 in Collaboration vDesk
Summary
by MITRE • 02/21/2024
An issue was discovered in LIVEBOX Collaboration vDesk through v031. A URL Redirection to an Untrusted Site (Open Redirect) can occur under the /api/v1/notification/createnotification endpoint, allowing an authenticated user to send an arbitrary push notification to any other user of the system. This push notification can include an (invisible) clickable link.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/19/2025
The vulnerability identified as CVE-2022-45169 represents a critical security flaw in LIVEBOX Collaboration vDesk software version 031 and earlier. This issue manifests as an open redirect vulnerability within the application's notification system, specifically at the /api/v1/notification/createnotification endpoint. The flaw allows authenticated users to manipulate the notification delivery mechanism to redirect other system users to arbitrary external URLs, creating a significant vector for social engineering attacks and potential credential theft.
This vulnerability falls under the CWE-601 category of URL Redirection to Untrusted Site, which is classified as an open redirect vulnerability in cybersecurity standards. The technical implementation of this flaw enables attackers to craft malicious notification payloads that contain clickable links pointing to malicious domains. The authenticated nature of the vulnerability means that an attacker must first gain valid credentials to exploit this weakness, but once achieved, the impact extends beyond simple privilege escalation to include user deception and potential data exfiltration through phishing attacks.
The operational impact of this vulnerability extends beyond immediate security concerns to encompass broader organizational risks. When exploited, authenticated users can send push notifications containing invisible clickable links to any other user within the system, effectively enabling a form of cross-user social engineering. This capability allows attackers to craft deceptive notifications that may appear legitimate to victims, potentially leading to credential compromise, malware installation, or other malicious activities. The invisible nature of the links makes detection more difficult for end users, as they may not immediately recognize the malicious intent within notification content.
The attack vector for this vulnerability requires an authenticated session within the LIVEBOX Collaboration environment, which means that attackers must first compromise valid user credentials through methods such as credential stuffing, phishing, or other account compromise techniques. Once authenticated, attackers can leverage the notification endpoint to send malicious payloads to other users, creating a potential chain reaction where compromised users may inadvertently trigger further attacks. This vulnerability aligns with several ATT&CK tactics including T1566 for phishing and T1071 for application layer protocol usage, making it particularly dangerous in enterprise environments where collaboration tools are widely used.
Mitigation strategies for this vulnerability should focus on immediate patching of the affected LIVEBOX Collaboration vDesk versions, implementing proper input validation and sanitization at the notification endpoint, and establishing strict controls over notification delivery mechanisms. Organizations should also consider implementing network-level controls to monitor and restrict outbound connections from collaboration platforms to suspicious domains. Additionally, user education programs should emphasize the importance of verifying notification sources and avoiding interaction with unexpected links, even when appearing to originate from trusted internal systems. The vulnerability underscores the importance of implementing robust access controls and monitoring for anomalous notification patterns that may indicate exploitation attempts.