Mailcow Mail Server Flaws Expose Servers to Remote Code Execution

Two security vulnerabilities have been disclosed in the Mailcow open-supply mail server suite that could be exploited by malicious actors to attain arbitrary code execution on inclined situations.

Equally shortcomings impact all variations of the application prior to edition 2024-04, which was released on April 4, 2024. The issues ended up responsibly disclosed by SonarSource on March 22, 2024.

The flaws, rated Reasonable in severity, are mentioned under –

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

• CVE-2024-30270 (CVSS score: 6.7) – A path traversal vulnerability impacting a operate named “rspamd_maps()” that could end result in the execution of arbitrary instructions on the server by allowing a threat actor to overwrite any file which is can be modified with the “www-details” consumer

• CVE-2024-31204 (CVSS score: 6.8) – A cross-web site scripting (XSS) vulnerability by means of the exception handling mechanism when not working in the DEV_Manner

The next of the two flaws is rooted in the truth that it saves facts of the exception sans any sanitization or encoding, which are then rendered into HTML and executed as JavaScript in the users’ browser.

As a result, an attacker could get gain of the circumstance to inject malicious scripts into the admin panel by triggering exceptions with specifically crafted enter, properly allowing them to hijack the session and conduct privileged actions in the context of an administrator.

Set in different ways, by combining the two flaws, it’s feasible for a malicious party to acquire command of accounts on a Mailcow server and get access to delicate info as very well as execute instructions.

In a theoretical attack scenario, a risk actor can craft an HTML email containing a CSS qualifications impression which is loaded from a distant URL, working with it to set off the execution of an XSS payload.

“An attacker can combine each vulnerabilities to execute arbitrary code on the admin panel server of a vulnerable mailcow instance,” SonarSource vulnerability researcher Paul Gerste mentioned.

“The necessity for this is that an admin consumer sights a malicious email although staying logged into the admin panel. The victim does not have to click on a connection inside the email or carry out any other conversation with the email itself, they only have to go on working with the admin panel following viewing the email.”

Uncovered this post attention-grabbing? Stick to us on Twitter  and LinkedIn to read through additional special content we article.