skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
September 9, 2020

GHSL-2020-132: SQL Injection in Mailtrain - CVE-2020-24617

Jaroslav Lobacevski


SQL injection and missing CSRF protection may lead to Remote Code Execution (RCE) or arbitrary file read.



Tested Version



SQL injection in statsClickedSubscribersByColumn accessible from /campaigns/clicked/ajax

The user input column is used without validation to format a SQL query. The following HTTP request triggers SQL injection. Note that the anti Cross Site Request Forgery (CSRF) token is absent. A specially crafted page may use a CSRF vulnerability against a logged-in Mailtrain user to perform the injection even if the attacker doesn’t have credentials.

POST /campaigns/clicked/ajax/1/gdgdg/stats HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: connect.sid=s%3AzxIehz7S0MFY1s3sP_7WxkFE6_yfHN8T.C3jcpEr1Ly1gAAnMRhELS0qiBJgBSCDV4ohkiuo1kj0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 19



This issue may lead to RCE or arbitrary file read. However an important pre-requisite is improperly configured database user settings. If the database user is correctly locked down it still may lead to denial of service or a timing based blind read. Authentication is not needed if the vulnerability is chained with CSRF.


Coordinated Disclosure Timeline


This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2020-132 in any communication regarding this issue.