HGiga MailSherlock - Broken Access Control

Vulnerability

HGiga MailSherlock versions with iSherlock-user-4.5 <= 4.5-161 and iSherlock-antispam-4.5 <= 4.5-167 contain an insufficient access control vulnerability [1]. An unauthenticated remote user can exploit this bug to view partial content (e.g., email subject) of another user's mail by manipulating the user ID and mail ID parameters in the URL [1].

Exploitation

An unauthenticated remote attacker can directly craft HTTP requests to the MailSherlock web interface, changing the user ID and mail ID within the URL [1]. No prior authentication or user interaction is required; the attacker only needs network access to the vulnerable system [1].

Impact

Successful exploitation allows an attacker to read partial email content (specifically the subject line) of other users, leading to information disclosure with low confidentiality impact [1]. The attacker does not gain write access or full message body access, and the integrity and availability of the system remain unaffected.

Mitigation

The vendor released fixed packages on 2023-02-24: iSherlock-user-4.5-162.386.rpm and iSherlock-antispam-4.5-168.386.rpm [1]. Users should update these system components to the patched versions. There are no known workarounds; applying the update is the only recommended mitigation.