CVE-2019-9883

moderate-risk

Published 2019-06-03

Multi modules of MailSherlock MSR35 and MSR45 lead to a CSRF vulnerability. It allows attacker to elevate privilege of specific account via useradmin/cf_new.cgi?chief=&wk_group=full&cf_name=test&cf_account=test&cf_email=&cf_acl=Management&apply_lang=&dn= without any authorizes.

Do I need to act?

0.14% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (8)

Msr35 Isherlock-Base

Msr35 Isherlock-Sysinfo

Msr35 Isherlock-User

Msr35 Isherlock-Useradmin

Msr45 Isherlock-Base

Msr45 Isherlock-Sysinfo

Msr45 Isherlock-User

Msr45 Isherlock-Useradmin

Affected Vendors

Hgiga

References (4)

Exploit http://surl.twcert.org.tw/mChNi

Exploit https://tvn.twcert.org.tw/taiwanvn/TVN-201904003

Exploit http://surl.twcert.org.tw/mChNi

Exploit https://tvn.twcert.org.tw/taiwanvn/TVN-201904003

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 1/34 · Minimal

Exposure 14/34 · Moderate