CVE-2024-4296

The account management interface of HGiga iSherlock (including MailSherlock, SpamSherlock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability to download arbitrary system files.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.twcert.org.tw/tw/cp-132-7765-49906-1.html	Third Party Advisory
https://www.twcert.org.tw/tw/cp-132-7765-49906-1.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hgiga:isherlock::::::::
	cpe:2.3:a:hgiga:isherlock::::::::

History

No history.

Information

Published : 2024-04-29 02:15

Updated : 2026-01-26 14:46

NVD link : CVE-2024-4296

Mitre link : CVE-2024-4296

CVE.ORG link : CVE-2024-4296

JSON object : View

Products Affected

hgiga

isherlock

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2024-4296", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2024-04-29T02:15:06.153", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7765-49906-1.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}, {"url": "https://www.twcert.org.tw/tw/cp-132-7765-49906-1.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "The account management interface of HGiga iSherlock (including MailSherlock, SpamSherlock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability to download arbitrary system files."}, {"lang": "es", "value": "La interfaz de administraci\u00f3n de cuentas de HGiga iSherlock (incluidos MailSherlock, SpamSherlock, AuditSherlock) no filtra caracteres especiales en ciertos par\u00e1metros de funci\u00f3n, lo que permite a atacantes remotos con privilegios administrativos explotar esta vulnerabilidad para descargar archivos arbitrarios del sistema."}], "lastModified": "2026-01-26T14:46:45.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hgiga:isherlock:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4FF931D3-3D1B-494C-8895-58FE6828E163", "versionEndExcluding": "4.5-149", "versionStartIncluding": "4.5"}, {"criteria": "cpe:2.3:a:hgiga:isherlock:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6FA7FF42-37D1-4EC9-8705-7BE765CB45F3", "versionEndExcluding": "5.5-149", "versionStartIncluding": "5.5"}], "operator": "OR"}]}], "sourceIdentifier": "twcert@cert.org.tw"}