PT-2019-11525 · Mailcleaner · Mailcleaner
Publicado
2019-07-18
·
Atualizado
2020-08-24
·
CVE-2019-1010246
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
MailCleaner versions prior to c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9
Description:
The issue allows for unauthenticated disclosure of MySQL database password information. This can lead to the disclosure of MySQL database content, including usernames and passwords. The problem is specifically with the API call in the
allowAction() function in NewslettersController.php, which can be exploited via an HTTP GET request.Recommendations:
For MailCleaner versions prior to c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9, update to version c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9 to resolve the issue. As a temporary workaround, consider restricting access to the
allowAction() function in NewslettersController.php to minimize the risk of exploitation.Correção
Missing Authorization
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Mailcleaner