CVE-2022-26088 is a medium-severity vulnerability affecting BMC Remedy versions prior to 22.1. The issue arises from the Email-based Incident Forwarding feature, which allows remote authenticated users to inject arbitrary HTML content into the Activity Log by manipulating the 'To:' email field. Specifically, when a user clicks on the "number of recipients" field in the interface, the injected HTML is rendered, potentially enabling an attacker to execute a Server-Side Request Forgery (SSRF) payload or other malicious HTML-based attacks. This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating a Cross-Site Scripting (XSS)-like flaw. The attack requires the user to be authenticated with at least some privileges (PR:L), and user interaction is necessary (UI:R) to trigger the rendering of the malicious content. The vulnerability affects confidentiality and integrity by potentially allowing attackers to perform SSRF attacks or manipulate logs, but it does not impact availability. The vendor has stated that no real impact has been demonstrated, and there are no known exploits in the wild. The CVSS 3.1 base score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, and partial scope change.

For European organizations using BMC Remedy prior to version 22.1, this vulnerability could lead to unauthorized HTML injection in incident logs, potentially enabling SSRF attacks. SSRF can be leveraged to access internal systems or services that are otherwise inaccessible, leading to information disclosure or further compromise. Given BMC Remedy's role in IT service management and incident tracking, manipulation of activity logs could undermine the integrity of incident records, complicating forensic investigations and incident response. While no direct availability impact is noted, the confidentiality and integrity risks may affect organizations with sensitive internal networks or regulatory requirements for accurate incident documentation. The requirement for authenticated access limits exposure to insiders or compromised accounts, but the medium severity suggests organizations should not dismiss the risk, especially those in regulated sectors such as finance, healthcare, or critical infrastructure within Europe.

1. Upgrade BMC Remedy to version 22.1 or later where this vulnerability is addressed. 2. Implement strict input validation and output encoding on the 'To:' email field and any user-controllable fields that are rendered in the UI to prevent HTML injection. 3. Restrict access to the Email-based Incident Forwarding feature to only trusted and necessary users to reduce the risk of exploitation. 4. Monitor and audit activity logs for unusual or suspicious HTML content or SSRF indicators. 5. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SSRF payloads and malicious HTML content targeting Remedy interfaces. 6. Educate users about the risks of interacting with suspicious email fields or UI elements that may trigger rendering of untrusted content. 7. Consider network segmentation to limit the impact of potential SSRF attacks by isolating Remedy servers from sensitive internal services. 8. If patching is delayed, disable or restrict the Email-based Incident Forwarding feature as a temporary workaround.