CVE-2019-9882

moderate-risk

Published 2019-06-03

Multi modules of MailSherlock MSR35 and MSR45 lead to a CSRF vulnerability. It allows attacker to add malicious email sources into whitelist via user/save_list.php?ACSION=&type=email&category=white&locate=big5&cmd=add&new=hacker@socialengineering.com&new_memo=&add=%E6%96%B0%E5%A2%9E without any authorizes.

Do I need to act?

0.14% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (8)

Msr35 Isherlock-Base

Msr35 Isherlock-Sysinfo

Msr35 Isherlock-User

Msr35 Isherlock-Useradmin

Msr45 Isherlock-Base

Msr45 Isherlock-Sysinfo

Msr45 Isherlock-User

Msr45 Isherlock-Useradmin

Affected Vendors

Hgiga

References (4)

Exploit http://surl.twcert.org.tw/MtWeJ

Exploit https://tvn.twcert.org.tw/taiwanvn/TVN-201904002

Exploit http://surl.twcert.org.tw/MtWeJ

Exploit https://tvn.twcert.org.tw/taiwanvn/TVN-201904002

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 1/34 · Minimal

Exposure 14/34 · Moderate