CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41960 – Cross-site Scripting (XSS) via Relay Hosts Configuration in mailcow: dockerized
https://notcve.org/view.php?id=CVE-2024-41960
05 Aug 2024 — mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to execute arbitrary scripts in the context of the user's browser. This could lead to data theft, or further exploitation. This issue has been addressed in the `2024-07` release. • https://github.com/mailcow/mailcow-dockerized/commit/efb2572f0fa57628ad98a76a4ae884a10cac0a1a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41959 – Cross-site Scripting (XSS) via API Logs in mailcow: dockerized
https://notcve.org/view.php?id=CVE-2024-41959
05 Aug 2024 — mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of the user's browser. This could lead to unauthorized actions, data theft, or further exploitation of the affected system. This issue has been addressed in the `2024-07` release. • https://github.com/mailcow/mailcow-dockerized/commit/66aa28b5de282fc037e0d2f02fbdc84539b614a1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-41958 – Two-Factor Authentication (2FA) Bypass in mailcow: dockerized
https://notcve.org/view.php?id=CVE-2024-41958
05 Aug 2024 — mailcow: dockerized is an open source groupware/email suite based on docker. A vulnerability has been discovered in the two-factor authentication (2FA) mechanism. This flaw allows an authenticated attacker to bypass the 2FA protection, enabling unauthorized access to other accounts that are otherwise secured with 2FA. To exploit this vulnerability, the attacker must first have access to an account within the system and possess the credentials of the target account that has 2FA enabled. By leveraging these c... • https://github.com/OrangeJuiceHU/CVE-2024-41958-PoC • CWE-697: Incorrect Comparison •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31204 – mailcow Cross-site Scripting Vulnerability via Exception Handler
https://notcve.org/view.php?id=CVE-2024-31204
04 Apr 2024 — mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE. The system saves exception details into a session array without proper sanitization or encoding. These details are later rendered into HTML and executed in a JavaScript block within the user's browser, without adequate escaping of HT... • https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-fp6h-63w4-5hcm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-24760 – Mailcow Docker Container Exposure to Local Network
https://notcve.org/view.php?id=CVE-2024-24760
02 Feb 2024 — mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions < 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even when the port is bound to 127.0.0.1. The vulnerability has been addressed by implementing additional iptables/nftables rules. These rules drop packets for Docker containers on ports 3306, 6379, 8983, and 123... • https://github.com/killerbees19/CVE-2024-24760 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2024-23824 – mailcow ipixel flood attack leads to Denial of Service in admin page
https://notcve.org/view.php?id=CVE-2024-23824
02 Feb 2024 — mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is tested on the versions 2023-12a and prior and patched in version 2024-01. mailcow es un paquete de correo electrónico acoplado, con múltiples contenedores vinculados en una red puente. La aplicación es vulnerable al ataque de inundac... • https://github.com/0xbunniee/MailCow-Pixel-Flood-Attack • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49077 – mailcow-dockerized XSS Vulnerability in Quarantine UI Allows Unauthorized Access and Data Manipulation
https://notcve.org/view.php?id=CVE-2023-49077
30 Nov 2023 — Mailcow: dockerized is an open source groupware/email suite based on docker. A Cross-Site Scripting (XSS) vulnerability has been identified within the Quarantine UI of the system. This vulnerability poses a significant threat to administrators who utilize the Quarantine feature. An attacker can send a carefully crafted email containing malicious JavaScript code. This issue has been patched in version 2023-11. • https://github.com/mailcow/mailcow-dockerized/releases/tag/2023-11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34108 – Manipulation of Internal Dovecot Variables in mailcow via crafted Passwords
https://notcve.org/view.php?id=CVE-2023-34108
07 Jun 2023 — mailcow is a mail server suite based on Dovecot, Postfix and other open source software, that provides a modern web UI for user/server administration. A vulnerability has been discovered in mailcow which allows an attacker to manipulate internal Dovecot variables by using specially crafted passwords during the authentication process. The issue arises from the behavior of the `passwd-verify.lua` script, which is responsible for verifying user passwords during login attempts. Upon a successful login, the scri... • https://github.com/VladimirBorisov/CVE_proposal/blob/main/MailcowUserPassword.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26490 – mailcow is vulnerable to shell command injection via xoauth2 authentication in imapsync
https://notcve.org/view.php?id=CVE-2023-26490
03 Mar 2023 — mailcow is a dockerized email package, with multiple containers linked in one bridged network. The Sync Job feature - which can be made available to standard users by assigning them the necessary permission - suffers from a shell command injection. A malicious user can abuse this vulnerability to obtain shell access to the Docker container running dovecot. The imapsync Perl script implements all the necessary functionality for this feature, including the XOAUTH2 authentication mechanism. This code path crea... • https://github.com/mailcow/mailcow-dockerized/releases/tag/2023-03 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39258 – mailcow-dockerized critical information misrepresentation can lead to phishing attacks through Swagger UI
https://notcve.org/view.php?id=CVE-2022-39258
27 Sep 2022 — mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. The issue has been fixed with the 2022-09 mailcow Mootember Update. As a workaround, one may delete the Swapper API Documentation from their e-mail server. mailcow es una suite de servidores de ... • https://github.com/mailcow/mailcow-dockerized/pull/4766 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-451: User Interface (UI) Misrepresentation of Critical Information CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •