Critical MailCleaner Vulnerabilities Let Attackers Execute arbitrary command

Fundamental vulnerabilities in MailCleaner versions earlier than 2023.03.14 enable remote attackers to rob total hold watch over of the equipment by malicious emails, administrator interplay with attacker sites or hyperlinks, and exploitation of SOAP endpoints, which compromises the confidentiality and integrity of the MailCleaner machine and any emails processed by it.

Furthermore, authenticated attackers with administrative privileges can create extra hold watch over by executing arbitrary instructions or manipulating files on the machine, posing a predominant risk, especially in cluster deployments the build a single compromised machine can grant attackers hold watch over of all cluster contributors.

An predominant vulnerability in MailCleaner’s email cleansing cronjob permits remote attackers to create root glean admission to by a crafted email, which exploits an OS yelp injection flaw, enabling arbitrary yelp execution and total machine compromise.

By taking hold watch over of the MailCleaner equipment, attackers can intercept and manipulate all emails the machine processes.

An unauthenticated attacker can exploit a saved XSS vulnerability in the admin dashboard through a malicious email, which injects malicious JavaScript, allowing session hijacking, files theft, or unauthorized actions as an admin.

This XSS can even be chained for OS yelp injection when blended with assorted vulnerabilities, very a lot amplifying the assault doubtless.

An predominant yelp injection vulnerability exists in administrator endpoints, allowing attackers to create root glean admission to, which requires either compromised administrator credentials or social engineering to trick administrators into visiting a malicious URL as winning exploitation grants total machine compromise.

Two vulnerabilities identified at unspecified endpoints enable attackers to inject malicious JavaScript through crafted hyperlinks, which inject the script into the actual person’s browser session upon clicking, enabling session hijacking, files theft, or unauthorized actions below the victim’s id.

This reflects a reflected Inferior-Plight scripting (XSS) vulnerability the build particular person-supplied files isn’t sanitized earlier than being echoed relief in the response.

Exploiting the yelp injection vulnerability in the getStats endpoint.

Unauthenticated SOAP endpoint vulnerabilities enable remote attackers to attain arbitrary instructions with root privileges, which inject OS instructions through particular person-supplied files, bypassing inadequate validation.

In response to Modezero, in clustered environments, compromising a single member grants full glean admission to to all machines, extra escalating machine compromise.

Multiple predominant and excessive-severity vulnerabilities had been identified in an unspecified procedure machine, the build an unauthenticated attacker can presumably attain arbitrary instructions on the machine by email (CVE-2024-3191), inject malicious scripts (CVE-2024-3192, CVE-2024-3194), or trick a logged-in particular person into performing unintended actions (CVE-2024-3193).

Authenticated users can presumably create unauthorized glean admission to to files (CVE-2024-3195) and attain arbitrary instructions on the machine by native SOAP endpoints (CVE-2024-3196).