Two security vulnerabilities have been identified in Mailcow, an open-source email server software. These vulnerabilities could allow attackers to take complete control of a vulnerable Mailcow server. The flaws impact all versions of Mailcow released before April 4, 2024 (version 2024-04).
The first vulnerability (CVE-2024-30270) allows attackers to overwrite files on the server. The attacker could then potentially run malicious code to gain control of the server. The second vulnerability (CVE-2024-31204) is a cross-site scripting (XSS) flaw. This vulnerability allows an attacker to inject malicious code into a specially crafted email. If an administrator views this email while logged into the Mailcow admin panel, the attacker’s code could be executed with the administrator’s privileges.
An attacker could exploit these vulnerabilities together to gain complete control of a Mailcow server. In a theoretical attack scenario, an attacker would send a malicious email to a Mailcow administrator. The email would contain a specially crafted image that would trigger the XSS vulnerability. Once the administrator viewed the email while logged in, the attacker’s code would be executed, allowing them to take over the server.
Users of Mailcow should update their software to version 2024-04 or later as soon as possible. This update addresses both of these vulnerabilities.
Reference:
