CVE-2019-9883

Summary

Multi modules of MailSherlock MSR35 and MSR45 lead to a CSRF vulnerability. It allows attacker to elevate privilege of specific account via useradmin/cf_new.cgi?chief=&wk_group=full&cf_name=test&cf_account=test&cf_email=&cf_acl=Management&apply_lang=&dn= without any authorizes.

Affected Software

VendorProductVersion RangeStatus
OAKloudsMailSherlock MSR35iSherlock-base < 1.5-328affected
OAKloudsMailSherlock MSR35iSherlock-useradmin < 1.5-239affected
OAKloudsMailSherlock MSR35iSherlock-sysinfo < 1.5-196affected
OAKloudsMailSherlock MSR35iSherlock-user < 1.5-127affected
OAKloudsMailSherlock MSR45iSherlock-base < 4.5-206affected
OAKloudsMailSherlock MSR45iSherlock-useradmin < 4.5-106affected
OAKloudsMailSherlock MSR45iSherlock-sysinfo < 4.5-109affected
OAKloudsMailSherlock MSR45iSherlock-user < 4.5-81affected

Weaknesses

  • CWE-352: CWE-352 Cross-Site Request Forgery (CSRF)

ADP Enrichment

CVE Program Container

Additional References

References