Two security vulnerabilities have been disclosed within the Mailcow open-source mail server suite that might be exploited by malicious actors to attain arbitrary code execution on inclined cases.
Each shortcomings influence all variations of the software program previous to model 2024-04, which was launched on April 4, 2024. The problems had been responsibly disclosed by SonarSource on March 22, 2024.
The failings, rated Reasonable in severity, are listed under –
- CVE-2024-30270 (CVSS rating: 6.7) – A path traversal vulnerability impacting a operate named “rspamd_maps()” that might end result within the execution of arbitrary instructions on the server by permitting a menace actor to overwrite any file that is might be modified with the “www-data” person
- CVE-2024-31204 (CVSS rating: 6.8) – A cross-site scripting (XSS) vulnerability through the exception dealing with mechanism when not working within the DEV_MODE
The second of the 2 flaws is rooted in the truth that it saves particulars of the exception sans any sanitization or encoding, that are then rendered into HTML and executed as JavaScript inside the customers’ browser.
Because of this, an attacker might make the most of the situation to inject malicious scripts into the admin panel by triggering exceptions with specifically crafted enter, successfully permitting them to hijack the session and carry out privileged actions within the context of an administrator.
Put otherwise, by combining the 2 flaws, it is attainable for a malicious occasion to take management of accounts on a Mailcow server and acquire entry to delicate knowledge in addition to execute instructions.
In a theoretical assault situation, a menace actor can craft an HTML e-mail containing a CSS background picture which is loaded from a distant URL, utilizing it to set off the execution of an XSS payload.
“An attacker can mix each vulnerabilities to execute arbitrary code on the admin panel server of a susceptible mailcow occasion,” SonarSource vulnerability researcher Paul Gerste mentioned.
“The requirement for that is that an admin person views a malicious e-mail whereas being logged into the admin panel. The sufferer doesn’t must click on a hyperlink inside the e-mail or carry out some other interplay with the e-mail itself, they solely must proceed utilizing the admin panel after viewing the e-mail.”
