Aurorad@D

**Name of the Vulnerable Software and Affected Versions** MailSherlock versions (affected versions not specified) **Description** The issue concerns a CSRF vulnerability in multiple modules of MailSherlock. It enables an attacker to add malicious email sources to the whitelist without authorization, potentially via the "user/save list.php" endpoint with parameters such as `ACSION`, `type`, `category`, `locate`, `cmd`, `new`, and `new memo`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MailSherlock versions MSR35 and MSR45 **Description** The issue affects multiple modules of MailSherlock, allowing an attacker to elevate the privileges of a specific account without authorization. This can be achieved through the "/useradmin/cf new.cgi" API endpoint with specific parameters, including `chief`, `wk group`, `cf name`, `cf account`, `cf email`, `cf acl`, `apply lang`, and `dn`. **Recommendations** For MailSherlock versions MSR35 and MSR45, consider restricting access to the "/useradmin/cf new.cgi" API endpoint until a patch is available. As a temporary workaround, avoid using the `cf acl` parameter with the value 'Management' in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.