Multi modules of MailSherlock MSR35 and MSR45 lead to a CSRF vulnerability. It allows attacker to add malicious email sources into whitelist via user/save_list.php?ACSION=&type=email&category=white&locate=big5&cmd=add&[email protected]&new_memo=&add=%E6%96%B0%E5%A2%9E without any authorizes.
[
{
"product": "MailSherlock MSR35",
"vendor": "OAKlouds ",
"versions": [
{
"lessThan": "1.5-328",
"status": "affected",
"version": "iSherlock-base",
"versionType": "custom"
},
{
"lessThan": "1.5-239",
"status": "affected",
"version": "iSherlock-useradmin",
"versionType": "custom"
},
{
"lessThan": "1.5-196",
"status": "affected",
"version": "iSherlock-sysinfo",
"versionType": "custom"
},
{
"lessThan": "1.5-127",
"status": "affected",
"version": "iSherlock-user",
"versionType": "custom"
}
]
},
{
"product": "MailSherlock MSR45",
"vendor": "OAKlouds ",
"versions": [
{
"lessThan": "4.5-206",
"status": "affected",
"version": "iSherlock-base",
"versionType": "custom"
},
{
"lessThan": "4.5-106",
"status": "affected",
"version": "iSherlock-useradmin",
"versionType": "custom"
},
{
"lessThan": "4.5-109",
"status": "affected",
"version": "iSherlock-sysinfo",
"versionType": "custom"
},
{
"lessThan": "4.5-81",
"status": "affected",
"version": "iSherlock-user",
"versionType": "custom"
}
]
}
]