PT-2024-25923 · Hsc · Hc Mailinspector
Osvaldotenorio
·
Published
2024-05-04
·
Updated
2025-11-25
·
CVE-2024-34472
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
HSC Mailinspector versions 5.2.17-3 through 5.2.18
Description
An authenticated blind SQL injection issue exists in the mliRealtimeEmails.php file. The
ordemGrid parameter in a POST request to "/mailinspector/mliRealtimeEmails.php" does not properly sanitize input, allowing an authenticated attacker to execute arbitrary SQL commands. This could lead to the potential disclosure of the entire application database.Recommendations
For HSC Mailinspector versions 5.2.17-3 through 5.2.18, consider disabling access to the mliRealtimeEmails.php file or restricting the use of the
ordemGrid parameter in the affected API endpoint until a patch is available. Avoid using the ordemGrid parameter in the POST request to "/mailinspector/mliRealtimeEmails.php" until the issue is resolved.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hc Mailinspector