HGiga MailSherlock - SQL Injection -3
Description
HGiga MailSherlock contains a SQL injection flaw. Attackers can inject and launch SQL commands in a URL parameter of specific cgi pages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HGiga MailSherlock SQL injection allows authenticated attackers to execute arbitrary SQL commands via a URL parameter.
Vulnerability
HGiga MailSherlock contains a SQL injection vulnerability in specific cgi pages. An authenticated attacker can inject SQL commands via a URL parameter. Affected versions include iSherlock MSR45/SSR45 with iSherlock-user-4.5 prior to 120 and iSherlock-antispam-4.5 prior to 133 [1].
Exploitation
An attacker must first authenticate to the MailSherlock system. Once logged in, they can craft a malicious URL parameter to inject SQL commands into the backend database. No additional privileges beyond normal user access are required [1].
Impact
Successful exploitation allows the attacker to execute unauthorized SQL commands, leading to potential disclosure of sensitive information (confidentiality high), and limited modification or disruption of data (integrity low, availability low). The CVSS v3.1 score is 7.0 (High) [1].
Mitigation
HGiga has released fixed packages: iSherlock-user-4.5-120.i386.rpm and iSherlock-antispam-4.5-133.i386.rpm for MSR45/SSR45 systems. Users should update to these versions. No workaround is documented [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- HGiga/MailSherlock MSR45/SSR45v5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.twcert.org.tw/tw/cp-132-4262-03785-1.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.