HGiga MailSherlock - SQL Injection

Vulnerability

The mail query function in HGiga MailSherlock fails to validate user-supplied parameters, allowing SQL injection. The vulnerability affects versions of the iSherlock-query system package up to and including iSherlock-query-4.5-167 on MailSherlock v4.5 systems. An attacker must have administrator privileges and be authenticated to reach the vulnerable endpoint [1].

Exploitation

An attacker with administrator credentials can send crafted HTTP requests to the mail query function, injecting arbitrary SQL commands via the unvalidated input parameter. No additional privileges or user interaction are required beyond the initial login [1].

Impact

Successful exploitation allows the attacker to read, modify, and delete arbitrary data in the MailSherlock database, leading to complete compromise of confidentiality, integrity, and availability of the stored information [1].

Mitigation

The vendor released a fixed version of the iSherlock-query package, iSherlock-query-4.5-168.386.rpm. Administrators should update MailSherlock to this package version or later. No workaround is documented; updating is the only known mitigation [1].