I got a critical vulnerability issue with that file. Mailnews.cgi fails to check remote user-supplied input for shell metacharacters. A remote attacker can insert a new user to the mailnews’ user file which includes malicious shell commands in the username field. Upon displaying this data, the embe…

Hi Juan, Thanks! There are no such files in SonarQube. I assume that you used a tool to scan for it, so the likely explanation is that it is reporting false-positives. Have you tried accessing the files in your browser? Also, please note that we have a process in place to report vulnerabilities th…

Commmand Injection vulnerability with mailnews.cgi file

SonarQube Server / Community Build

Hendrik_Buchwald (Hendrik Buchwald) November 23, 2021, 4:05pm 2

Hello Juan and welcome to the community!

Could you be a bit more specific? Where did you find this file and where do you want to delete it?

Topic		Replies	Views
Vulnerability in Confluence version SonarQube Server / Community Build documentation	2	738	April 19, 2019
Change this code to not log user-controlled data SonarQube Server / Community Build	4	2891	September 29, 2023
Hundreds of false positives for translation module SonarQube Cloud security	7	838	August 13, 2020
Help SonarCloud with understanding the usage of untrusted and tainted input SonarQube Cloud security , false-positive , sonarqube-cloud	7	11031	October 25, 2021
PHP S3649 False-Negative Report False-positive / False-negative... php , security	14	1092	July 2, 2021

Commmand Injection vulnerability with mailnews.cgi file

Related topics