CVE-2021-41083

CSRF Vulnerability in dada-mail 11.15.1 and below

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Dada Mail is a web-based e-mail list management system. In affected versions a bad actor could give someone a carefully crafted web page via email, SMS, etc, that - when visited, allows them control of the list control panel as if the bad actor was logged in themselves. This includes changing any mailing list password, as well as the Dada Mail Root Password - which could effectively shut out actual list owners of the mailing list and allow the bad actor complete and unfettered control of your mailing list. This vulnerability also affects profile logins. For this vulnerability to work, the target of the bad actor would need to be logged into the list control panel themselves. This CSRF vulnerability in Dada Mail affects all versions of Dada Mail v11.15.1 and below. Although we know of no known CSRF exploits that have happened in the wild, this vulnerability has been confirmed by our testing, and by a third party. Users are advised to update to version 11.16.0.

Dada Mail es un sistema de administración de listas de correo electrónico basado en la web. En las versiones afectadas, un actor malicioso podría dar a alguien una página web cuidadosamente diseñada por medio de correo electrónico, SMS, etc., que, cuando es visitada, permite controlar el panel de control de la lista como si el actor malicioso estuviera conectado. Esto incluye el cambio de cualquier contraseña de la lista de correo, así como de la Contraseña Root de Dada Mail, lo que podría excluir a los verdaderos propietarios de la lista de correo y permitir al actor malicioso el control completo y sin restricciones de su lista de correo. Esta vulnerabilidad también afecta a los inicios de sesión del perfil. Para que esta vulnerabilidad funcione, el objetivo del actor malicioso tendría que haber iniciado sesión en el panel de control de la lista por sí mismo. Esta vulnerabilidad de tipo CSRF en Dada Mail afecta a todas las versiones de Dada Mail v11.15.1 y por debajo. Aunque no sabemos de ninguna explotación conocida de tipo CSRF que haya ocurrido en el wild, esta vulnerabilidad ha sido confirmada por nuestras pruebas, y por un tercero. Se recomienda a los usuarios que actualicen a la versión 11.16.0

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-09-15 CVE Reserved
2021-09-20 CVE Published
2024-06-05 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-352: Cross-Site Request Forgery (CSRF)

CAPEC

References (2)

URL	Tag	Source
https://github.com/justingit/dada-mail/security/advisories/GHSA-344m-p829-2r38	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/justingit/dada-mail/commit/d4d3d86d08c816b4da75a5ef45abc12188772459	2021-10-01

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dadamailproject Search vendor "Dadamailproject"		Dada Mail Search vendor "Dadamailproject" for product "Dada Mail"				< 11.16.0 Search vendor "Dadamailproject" for product "Dada Mail" and version " < 11.16.0"		-		Affected