CVE-2024-45438
Published: 21 August 2025
Summary
CVE-2024-45438 is a critical-severity Improper Access Control (CWE-284) vulnerability in Titanhq (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 40.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly limits and documents specific actions permitted without identification or authentication, preventing unauthenticated account creation via quarantine.php.
Enforces approved access authorizations, blocking unauthenticated users from executing critical account-level actions in the web interface.
Manages system accounts by requiring approval and review processes for creation, mitigating unauthorized automatic user record provisioning.
NVD Description
An issue was discovered in TitanHQ SpamTitan Email Security Gateway 8.00.x before 8.00.101 and 8.01.x before 8.01.14. The file quarantine.php within the SpamTitan interface allows unauthenticated users to trigger account-level actions using a crafted GET request. Notably, when a non-existent…
more
email address is provided as part of the email parameter, SpamTitan will automatically create a user record and associate quarantine settings with it - all without requiring authentication.
Deeper analysisAI
CVE-2024-45438 affects TitanHQ SpamTitan Email Security Gateway versions 8.00.x before 8.00.101 and 8.01.x before 8.01.14. The vulnerability resides in the quarantine.php file within the SpamTitan web interface, which allows unauthenticated users to execute account-level actions via a crafted GET request. Specifically, providing a non-existent email address in the email parameter triggers the automatic creation of a user record and associates quarantine settings with it, all without authentication requirements. It is linked to CWE-284 (Improper Access Control) and CWE-306 (Missing Authentication for Critical Function), with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
Unauthenticated remote attackers can exploit this vulnerability with low attack complexity and no user interaction. By sending a specially crafted GET request to quarantine.php, attackers can create arbitrary user accounts for non-existent email addresses and configure associated quarantine settings. This enables significant integrity and availability disruptions, such as unauthorized account proliferation or manipulation of email quarantine functions, potentially leading to denial of service or evasion of security controls.
TitanHQ release notes document fixes in versions 8.00.101 and 8.01.14. Advisories on Full Disclosure and Seralys research detail the issue and recommend upgrading to patched versions immediately. Security teams should verify deployments, restrict access to the SpamTitan interface where possible, and monitor for anomalous user creation events.
Details
- CWE(s)