PT-2019-11525 · Mailcleaner · Mailcleaner

Published

2019-07-18

Updated

2020-08-24

CVE-2019-1010246

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions: MailCleaner versions prior to c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9

Description: The issue allows for unauthenticated disclosure of MySQL database password information. This can lead to the disclosure of MySQL database content, including usernames and passwords. The problem is specifically with the API call in the allowAction() function in NewslettersController.php, which can be exploited via an HTTP GET request.

Recommendations: For MailCleaner versions prior to c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9, update to version c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9 to resolve the issue. As a temporary workaround, consider restricting access to the allowAction() function in NewslettersController.php to minimize the risk of exploitation.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2019-1010246

Affected Products

Mailcleaner

PT-2019-11525 · Mailcleaner · Mailcleaner

CVE-2019-1010246

Weakness Enumeration

Related Identifiers

Affected Products

References · 3