June 19, 2024 at 04:03AM
Two security vulnerabilities in Mailcow, impacting versions prior to 2024-04, were disclosed by SonarSource. CVE-2024-30270 allows arbitrary code execution via path traversal, and CVE-2024-31204 enables cross-site scripting. Exploiting both could hijack admin sessions and execute arbitrary code. Mailcow users are urged to update to the latest version to mitigate these risks.
The meeting notes from June 19, 2024, highlight two security vulnerabilities that were disclosed in the Mailcow open-source mail server suite. The vulnerabilities could potentially allow malicious actors to execute arbitrary code on vulnerable instances.
The first vulnerability, identified as CVE-2024-30270 with a CVSS score of 6.7, involves a path traversal vulnerability impacting a function named “rspamd_maps()”. This flaw could lead to the execution of arbitrary commands on the server by allowing a threat actor to overwrite any modifiable file with the “www-data” user.
The second vulnerability, identified as CVE-2024-31204 with a CVSS score of 6.8, is a cross-site scripting (XSS) vulnerability related to the exception handling mechanism when not operating in DEV_MODE. This flaw allows attackers to inject malicious scripts into the admin panel, potentially leading to session hijacking and privileged actions within the administrator’s context.
In a theoretical attack scenario described in the meeting notes, a threat actor could craft an HTML email containing a CSS background image loaded from a remote URL to trigger the execution of an XSS payload.
It is important to note that both vulnerabilities impact all versions of the software prior to version 2024-04, which was released on April 4, 2024. The issues were responsibly disclosed by SonarSource on March 22, 2024.
It is critical to address these vulnerabilities promptly to mitigate potential risks and protect sensitive data on Mailcow servers.