HGiga MailSherlock - Command Injection

Vulnerability

HGiga MailSherlock version 4.5 with system package iSherlock-sysinfo version 4.5-132 and earlier contains a command injection vulnerability in the connection log query function. The function fails to properly filter or sanitize user-supplied input for parameter values, allowing an authenticated remote attacker with administrator privileges to inject arbitrary system commands [1]. The vulnerable product is HGiga MailSherlock version 4.5 with iSherlock-sysinfo package versions up to and including 4.5-132 [1].

Exploitation

An attacker must first authenticate to the MailSherlock system with a valid administrator account. With administrator privileges, the attacker can send crafted requests to the connection log query endpoint, injecting shell metacharacters into an unsanitized parameter. No special network position beyond access to the web interface is required [1]. The exploitation does not require user interaction.

Impact

Successful exploitation allows the attacker to execute arbitrary system commands on the MailSherlock server with the privileges of the web application process. This can lead to full system compromise, including the ability to perform arbitrary system operations (such as reading or modifying files) and disrupt the mail service [1]. The impact is complete loss of confidentiality, integrity, and availability (CIA) on the affected system.

Mitigation

The vendor released a fixed version of the system package. Users should update the iSherlock-sysinfo package to version 4.5-133.386.rpm or later [1]. No workarounds are mentioned in the available reference [1]. The CVE has a CVSS score of 7.2 (High) and is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.