CVE-2024-45438

{"id": "CVE-2024-45438", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2025-08-21T17:15:29.553", "references": [{"url": "https://docs.titanhq.com/en/13161-spamtitan-release-notes.html", "source": "cve@mitre.org"}, {"url": "https://seclists.org/fulldisclosure/2025/Sep/15", "source": "cve@mitre.org"}, {"url": "https://www.seralys.com/research/CVE-2024-45438.txt", "source": "cve@mitre.org"}, {"url": "https://www.titanhq.com/email-protection/", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in TitanHQ SpamTitan Email Security Gateway 8.00.x before 8.00.101 and 8.01.x before 8.01.14. The file quarantine.php within the SpamTitan interface allows unauthenticated users to trigger account-level actions using a crafted GET request. Notably, when a non-existent email address is provided as part of the email parameter, SpamTitan will automatically create a user record and associate quarantine settings with it - all without requiring authentication."}, {"lang": "es", "value": "Se detect\u00f3 un problema en TitanHQ SpamTitan Email Security Gateway 8.00.x (anterior a 8.00.101) y 8.01.x (anterior a 8.01.14). El archivo quarantine.php de la interfaz de SpamTitan permite a usuarios no autenticados ejecutar acciones a nivel de cuenta mediante una solicitud GET espec\u00edfica. Cabe destacar que, al proporcionar una direcci\u00f3n de correo electr\u00f3nico inexistente como parte del par\u00e1metro de correo electr\u00f3nico, SpamTitan crear\u00e1 autom\u00e1ticamente un registro de usuario y le asociar\u00e1 la configuraci\u00f3n de cuarentena, todo ello sin necesidad de autenticaci\u00f3n."}], "lastModified": "2025-10-09T13:15:30.703", "sourceIdentifier": "cve@mitre.org"}