HGiga MailSherlock - SQL Injection -1

Vulnerability

HGiga MailSherlock, specifically iSherlock MSR45/SSR45 with system packages iSherlock-user-4.5 below version 120 and iSherlock-antispam-4.5 below version 133, contains a SQL injection vulnerability in a URL parameter of the email function. An authenticated attacker can inject SQL syntax into the parameter, leading to unauthorized SQL command execution [1].

Exploitation

The attacker must first be logged into the MailSherlock system. After authentication, the attacker crafts a malicious URL containing SQL injection payloads in the parameter of the email function. The application does not properly sanitize the input, allowing the injected SQL commands to be processed by the database [1].

Impact

A successful SQL injection allows the attacker to execute arbitrary SQL commands, potentially leading to high confidentiality impact (reading sensitive data) and low integrity and availability impacts (modifying or deleting data) [1]. The CVSS score is 7.0 (High) [1].

Mitigation

HGiga has released fixed versions: update to system packages iSherlock-user-4.5-120.i386.rpm and iSherlock-antispam-4.5-133.i386.rpm for iSherlock MSR45/SSR45 systems [1]. No workarounds are mentioned in the reference.