CVE-2024-4298

Severity CVSS v4.0:

Pending analysis

Type:

CWE-78 OS Command Injections

Publication date:

29/04/2024

Last modified:

03/07/2024

Description

The email search interface of HGiga iSherlock (including MailSherlock, SpamSherock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability for Command Injection attacks, enabling execution of arbitrary system commands.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.20 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x

7.20

Severity 3.x

HIGH

References to Advisories, Solutions, and Tools

https://www.chtsecurity.com/news/4559fabd-43d1-4324-a0b3-f459a05c2290
https://www.chtsecurity.com/news/f67fd9b5-cb7a-42e4-bcb7-cc1c73d1f851
https://www.twcert.org.tw/tw/cp-132-7769-0773a-1.html