cbcvebase.
CVE-2022-40319
published 2023-01-17

CVE-2022-40319: The LISTSERV 17 web interface allows remote attackers to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL…

PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
7.20%
93.5th percentile
The LISTSERV 17 web interface allows remote attackers to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL. The impact is unauthorized modification of a victim's LISTSERV account.

Affected

1 ranges
VendorProductVersion rangeFixed in
lsoftlistserv

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://example.com/scripts/wa.exe?INDEX&X=[session-id]&Y=[email-address]
path/scripts/wa.exe
cookieWALOGIN
  • Detect IDOR exploitation attempts by monitoring requests to /scripts/wa.exe where the Y parameter email address does not match the authenticated session's owner email or the WALOGIN cookie value.
  • Alert on mismatches between the WALOGIN cookie value (ASCII-encoded email) and the Y parameter email address in requests to wa.exe, as this is the core exploitation mechanism.
  • Monitor wa.exe requests where the Y parameter is modified across sequential requests from the same session, indicating enumeration or IDOR abuse against multiple victim accounts.
  • ·The IDOR vulnerability is present specifically in LISTSERV version 17; verify the installed version before applying detections.
  • ·The exploit was tested on Windows Server 2019; the wa.exe path is Windows-specific and detections should be scoped accordingly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.