Two safety vulnerabilities have been disclosed within the Mailcow open-source mail server suite that might be exploited by malicious actors to realize arbitrary code execution on inclined cases.
Each shortcomings affect all variations of the software program previous to model 2024-04, which was launched on April 4, 2024. The problems have been responsibly disclosed by SonarSource on March 22, 2024.
The issues, rated Average in severity, are listed under –
- CVE-2024-30270 (CVSS rating: 6.7) – A path traversal vulnerability impacting a operate named “rspamd_maps()” that might outcome within the execution of arbitrary instructions on the server by permitting a risk actor to overwrite any file that is may be modified with the “www-data” person
- CVE-2024-31204 (CVSS rating: 6.8) – A cross-site scripting (XSS) vulnerability by way of the exception dealing with mechanism when not working within the DEV_MODE
The second of the 2 flaws is rooted in the truth that it saves particulars of the exception sans any sanitization or encoding, that are then rendered into HTML and executed as JavaScript inside the customers’ browser.
Because of this, an attacker might benefit from the situation to inject malicious scripts into the admin panel by triggering exceptions with specifically crafted enter, successfully permitting them to hijack the session and carry out privileged actions within the context of an administrator.
Put otherwise, by combining the 2 flaws, it is doable for a malicious get together to take management of accounts on a Mailcow server and achieve entry to delicate information in addition to execute instructions.
In a theoretical assault situation, a risk actor can craft an HTML e mail containing a CSS background picture which is loaded from a distant URL, utilizing it to set off the execution of an XSS payload.
“An attacker can combine both vulnerabilities to execute arbitrary code on the admin panel server of a vulnerable mailcow instance,” SonarSource vulnerability researcher Paul Gerste stated.
“The requirement for this is that an admin user views a malicious email while being logged into the admin panel. The victim does not have to click a link inside the email or perform any other interaction with the email itself, they only have to continue using the admin panel after viewing the email.”
