Commmand Injection vulnerability with mailnews.cgi file

I got a critical vulnerability issue with that file.

Mailnews.cgi fails to check remote user-supplied input for shell metacharacters. A remote attacker can insert a new user to the mailnews’ user file which includes malicious shell commands in the username field. Upon displaying this data, the embedded commands will execute with the privileges of the web server process.

what is the implication of deleting this file?
what is this file for?

Thank you

Hello Juan and welcome to the community!

Could you be a bit more specific? Where did you find this file and where do you want to delete it?

Hi @Hendrik_Buchwald
sorry, it was found in a sonarqube scan at this pages:

Hi Juan,

Thanks! There are no such files in SonarQube. I assume that you used a tool to scan for it, so the likely explanation is that it is reporting false-positives. Have you tried accessing the files in your browser?

Also, please note that we have a process in place to report vulnerabilities that should be followed: Responsible Vulnerability Disclosure

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.