Filtered by vendor Mailcow
Subscribe
Total
9 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-24760 | 1 Mailcow | 1 Mailcow\ | 2024-02-10 | N/A | 7.3 HIGH |
| mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions < 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even when the port is bound to 127.0.0.1. The vulnerability has been addressed by implementing additional iptables/nftables rules. These rules drop packets for Docker containers on ports 3306, 6379, 8983, and 12345, where the input interface is not `br-mailcow` and the output interface is `br-mailcow`. | |||||
| CVE-2024-23824 | 1 Mailcow | 1 Mailcow\ | 2024-02-10 | N/A | 2.7 LOW |
| mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is tested on the versions 2023-12a and prior and patched in version 2024-01. | |||||
| CVE-2023-49077 | 1 Mailcow | 1 Mailcow\ | 2023-12-10 | N/A | 6.1 MEDIUM |
| Mailcow: dockerized is an open source groupware/email suite based on docker. A Cross-Site Scripting (XSS) vulnerability has been identified within the Quarantine UI of the system. This vulnerability poses a significant threat to administrators who utilize the Quarantine feature. An attacker can send a carefully crafted email containing malicious JavaScript code. This issue has been patched in version 2023-11. | |||||
| CVE-2023-34108 | 1 Mailcow | 1 Mailcow\ | 2023-12-10 | N/A | 8.8 HIGH |
| mailcow is a mail server suite based on Dovecot, Postfix and other open source software, that provides a modern web UI for user/server administration. A vulnerability has been discovered in mailcow which allows an attacker to manipulate internal Dovecot variables by using specially crafted passwords during the authentication process. The issue arises from the behavior of the `passwd-verify.lua` script, which is responsible for verifying user passwords during login attempts. Upon a successful login, the script returns a response in the format of "password=<valid-password>", indicating the successful authentication. By crafting a password with additional key-value pairs appended to it, an attacker can manipulate the returned string and influence the internal behavior of Dovecot. For example, using the password "123 mail_crypt_save_version=0" would cause the `passwd-verify.lua` script to return the string "password=123 mail_crypt_save_version=0". Consequently, Dovecot will interpret this string and set the internal variables accordingly, leading to unintended consequences. This vulnerability can be exploited by an authenticated attacker who has the ability to set their own password. Successful exploitation of this vulnerability could result in unauthorized access to user accounts, bypassing security controls, or other malicious activities. This issue has been patched in version `2023-05a`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-26490 | 1 Mailcow | 1 Mailcow\ | 2023-12-10 | N/A | 8.8 HIGH |
| mailcow is a dockerized email package, with multiple containers linked in one bridged network. The Sync Job feature - which can be made available to standard users by assigning them the necessary permission - suffers from a shell command injection. A malicious user can abuse this vulnerability to obtain shell access to the Docker container running dovecot. The imapsync Perl script implements all the necessary functionality for this feature, including the XOAUTH2 authentication mechanism. This code path creates a shell command to call openssl. However, since different parts of the specified user password are included without any validation, one can simply execute additional shell commands. Notably, the default ACL for a newly-created mailcow account does not include the necessary permission. The Issue has been fixed within the 2023-03 Update (March 3rd 2023). As a temporary workaround the Syncjob ACL can be removed from all mailbox users, preventing from creating or changing existing Syncjobs. | |||||
| CVE-2022-31138 | 1 Mailcow | 1 Mailcow\ | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
| mailcow is a mailserver suite. Prior to mailcow-dockerized version 2022-06a, an extended privilege vulnerability can be exploited by manipulating the custom parameters regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, or maxlinelengthcmd to execute arbitrary code. Users should update their mailcow instances with the `update.sh` script in the mailcow root directory to 2022-06a or newer to receive a patch for this issue. As a temporary workaround, the Syncjob ACL can be removed from all mailbox users, preventing changes to those settings. | |||||
| CVE-2022-39258 | 1 Mailcow | 1 Mailcow\ | 2023-12-10 | N/A | 8.2 HIGH |
| mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. The issue has been fixed with the 2022-09 mailcow Mootember Update. As a workaround, one may delete the Swapper API Documentation from their e-mail server. | |||||
| CVE-2022-31245 | 1 Mailcow | 1 Mailcow\ | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
| mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin via the --debug option in conjunction with the ---PIPEMESS option in Sync Jobs. | |||||
| CVE-2017-8928 | 1 Mailcow | 1 Mailcow\ | 2023-12-10 | 6.8 MEDIUM | 8.8 HIGH |
| mailcow 0.14, as used in "mailcow: dockerized" and other products, has CSRF. | |||||