CVE-2024-45438

Sažetak

An issue was discovered in TitanHQ SpamTitan Email Security Gateway 8.00.x before 8.00.101 and 8.01.x before 8.01.14. The file quarantine.php within the SpamTitan interface allows unauthenticated users to trigger account-level actions using a crafted GET request. Notably, when a non-existent email address is provided as part of the email parameter, SpamTitan will automatically create a user record and associate quarantine settings with it - all without requiring authentication.

Reference

https://docs.titanhq.com/en/13161-spamtitan-release-notes.html
https://seclists.org/fulldisclosure/2025/Sep/15
https://www.seralys.com/research/CVE-2024-45438.txt
https://www.titanhq.com/email-protection/

CVSS

Base:	9.1
Impact:	5.2
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Zadnje važnije ažuriranje

09-10-2025 - 13:15

Objavljeno

21-08-2025 - 17:15