CVE-2020-24617
📋 TL;DR
CVE-2020-24617 is an SQL injection vulnerability in Mailtrain's campaign statistics feature that allows attackers to execute arbitrary SQL commands. This affects Mailtrain instances up to version 1.24.1. Attackers can potentially access, modify, or delete database content including user data and campaign information.
💻 Affected Systems
- Mailtrain
📦 What is this software?
Mailtrain by Mailtrain
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing data theft, modification, or deletion; potential privilege escalation to system access; possible remote code execution if database functions permit.
Likely Case
Unauthorized access to sensitive campaign data, subscriber information, and user credentials stored in the database.
If Mitigated
Limited impact with proper input validation and database permissions restricting query execution scope.
🎯 Exploit Status
Exploitation requires sending crafted requests to /campaigns/clicked/ajax endpoint. Public proof-of-concept exists in GitHub security advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.24.2 and later
Vendor Advisory: https://github.com/Mailtrain-org/mailtrain/pull/909
Restart Required: Yes
Instructions:
1. Backup your Mailtrain installation and database. 2. Update Mailtrain to version 1.24.2 or later. 3. Restart the Mailtrain service. 4. Verify the fix by checking the version and testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to reject malicious column names before processing
Modify lib/models/campaigns.js to validate column parameter against allowed list
Web Application Firewall Rule
allBlock SQL injection patterns in requests to /campaigns/clicked/ajax
Add WAF rule to detect and block SQL injection patterns in URL parameters
🧯 If You Can't Patch
- Restrict network access to Mailtrain interface to trusted IP addresses only
- Implement database user with minimal permissions (read-only for stats functions)
🔍 How to Verify
Check if Vulnerable:
Check Mailtrain version. If version is 1.24.1 or earlier, the system is vulnerable. Review lib/models/campaigns.js for the statsClickedSubscribersByColumn function to see if column parameter is properly escaped.Check Version:
Check package.json or run: grep version /path/to/mailtrain/package.jsonVerify Fix Applied:
After patching, verify version is 1.24.2 or later. Test the /campaigns/clicked/ajax endpoint with malicious input to confirm SQL injection is prevented.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed requests to /campaigns/clicked/ajax
- Requests with SQL keywords in parameters
Network Indicators:
- Unusual traffic patterns to /campaigns/clicked/ajax endpoint
- Requests containing SQL injection payloads
SIEM Query:
source="mailtrain" AND (url="/campaigns/clicked/ajax" AND (param="column" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "--"))