cbcvebase.
CVE-2011-4542
published 2011-11-30

CVE-2011-4542: Hastymail2 2.1.1 before RC2 allows remote attackers to execute arbitrary commands via the (1) rs or (2) rsargs[] parameter in a mailbox Drafts action to the…

PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
26.06%
97.7th percentile
Hastymail2 2.1.1 before RC2 allows remote attackers to execute arbitrary commands via the (1) rs or (2) rsargs[] parameter in a mailbox Drafts action to the default URI.

Affected

10 ranges
VendorProductVersion rangeFixed in
hastymailhastymail2<= 2.1.1
hastymailhastymail2
hastymailhastymail2
hastymailhastymail2
hastymailhastymail2
hastymailhastymail2
hastymailhastymail2
hastymailhastymail2
hastymailhastymail2
hastymailhastymail2

Detection & IOCsextracted from sources · hover to see the quote

pathlib/ajax_functions.php
path/hastymail2/
  • Look for POST requests to the Hastymail default URI containing 'rs' or 'rsargs[]' parameters in a mailbox Drafts action — these are the injectable parameters.
  • Detect exploitation attempts by monitoring POST requests to lib/ajax_functions.php for abuse of call_user_func_array() via the rs/rsargs[] parameters.
  • The Metasploit module transmits the payload Base64-encoded in a custom HTTP header named 'Cmd' — inspect POST requests to /hastymail2/ for a non-standard 'Cmd' header containing Base64 data.
  • Authentication is required before exploitation; monitor for a POST login to ?page=login followed immediately by a POST to the base Hastymail URI with a 'Cmd' header — this sequence indicates automated exploitation.
  • Track the session cookie set after successful login (HTTP 303 redirect from ?page=login) and correlate it with subsequent suspicious POST requests to the Hastymail base path.
  • ·The default base path used by the Metasploit module is /hastymail2/ but may be customised by the attacker via TARGETURI — do not rely solely on path-based detection.
  • ·Exploitation requires valid credentials; unauthenticated scanning will not trigger the vulnerability. Detections should account for the mandatory prior authentication step.
  • ·Only Hastymail2 versions up to 2.1.1 RC1 are affected; 2.1.1 RC2 and later are patched.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.