CVE-2024-34472

MEDIUM

HSC Mailinspector <5.2.18 - Authenticated SQL Injection

Title source: llm

Description

An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An authenticated blind SQL injection vulnerability exists in the mliRealtimeEmails.php file. The ordemGrid parameter in a POST request to /mailinspector/mliRealtimeEmails.php does not properly sanitize input, allowing an authenticated attacker to execute arbitrary SQL commands, leading to the potential disclosure of the entire application database.

Exploits (1)

nomisec WRITEUP

by osvaldotenorio · poc

https://github.com/osvaldotenorio/CVE-2024-34472

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://github.com/osvaldotenorio/CVE-2024-34472

Scores

CVSS v3 5.5

EPSS 0.0223

EPSS Percentile 84.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (1)

hsclabs/mailinspector 5.2.17-3 - 5.2.19

Published May 06, 2024

Tracked Since Feb 18, 2026