CVE-2022-40319
published 2023-01-17CVE-2022-40319: The LISTSERV 17 web interface allows remote attackers to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL…
PriorityP354high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
7.20%
93.5th percentile
The LISTSERV 17 web interface allows remote attackers to conduct Insecure Direct Object References (IDOR) attacks via a modified email address in a wa.exe URL. The impact is unauthorized modification of a victim's LISTSERV account.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lsoft | listserv | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect IDOR exploitation attempts by monitoring requests to /scripts/wa.exe where the Y parameter email address does not match the authenticated session's owner email or the WALOGIN cookie value. ↗
- →Alert on mismatches between the WALOGIN cookie value (ASCII-encoded email) and the Y parameter email address in requests to wa.exe, as this is the core exploitation mechanism. ↗
- →Monitor wa.exe requests where the Y parameter is modified across sequential requests from the same session, indicating enumeration or IDOR abuse against multiple victim accounts. ↗
- ·The IDOR vulnerability is present specifically in LISTSERV version 17; verify the installed version before applying detections. ↗
- ·The exploit was tested on Windows Server 2019; the wa.exe path is Windows-specific and detections should be scoped accordingly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2023-01-17
Published