CVE-2024-4299

HGiga iSherlock - Command Injection

CVSS 7.2 HIGHEPSS 2.1%CWE-78

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7.2EPSS 2.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

29 Apr 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The system configuration interface of HGiga iSherlock (including MailSherlock, SpamSherock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability for Command Injection attacks, enabling execution of arbitrary system commands.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products

HGiga · iSherlock 4.5 HGiga · iSherlock 5.5

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.chtsecurity.com/news/4559fabd-43d1-4324-a0b3-f459a05c2290 https://www.chtsecurity.com/news/f67fd9b5-cb7a-42e4-bcb7-cc1c73d1f851 https://www.twcert.org.tw/tw/cp-132-7771-36c50-1.html