CVE-2019-9883

Name of the Vulnerable Software and Affected Versions MailSherlock versions MSR35 and MSR45

Description The issue affects multiple modules of MailSherlock, allowing an attacker to elevate the privileges of a specific account without authorization. This can be achieved through the "/useradmin/cf new.cgi" API endpoint with specific parameters, including chief, wk group, cf name, cf account, cf email, cf acl, apply lang, and dn.

Recommendations For MailSherlock versions MSR35 and MSR45, consider restricting access to the "/useradmin/cf new.cgi" API endpoint until a patch is available. As a temporary workaround, avoid using the cf acl parameter with the value 'Management' in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.