CVE-2019-9882

Summary

Multi modules of MailSherlock MSR35 and MSR45 lead to a CSRF vulnerability. It allows attacker to add malicious email sources into whitelist via user/save_list.php?ACSION=&type=email&category=white&locate=big5&cmd=add&new=hacker@socialengineering.com&new_memo=&add=%E6%96%B0%E5%A2%9E without any authorizes.

Affected Software

VendorProductVersion RangeStatus
OAKloudsMailSherlock MSR35iSherlock-base < 1.5-328affected
OAKloudsMailSherlock MSR35iSherlock-useradmin < 1.5-239affected
OAKloudsMailSherlock MSR35iSherlock-sysinfo < 1.5-196affected
OAKloudsMailSherlock MSR35iSherlock-user < 1.5-127affected
OAKloudsMailSherlock MSR45iSherlock-base < 4.5-206affected
OAKloudsMailSherlock MSR45iSherlock-useradmin < 4.5-106affected
OAKloudsMailSherlock MSR45iSherlock-sysinfo < 4.5-109affected
OAKloudsMailSherlock MSR45iSherlock-user < 4.5-81affected

Weaknesses

  • CWE-352: CWE-352 Cross-Site Request Forgery (CSRF)

ADP Enrichment

CVE Program Container

Additional References

References