Two critical vulnerabilities have surfaced in the Mailcow open-source mail server suite, offering malicious entities an opportunity to execute arbitrary code on susceptible instances.
These vulnerabilities affect all versions of the software predating version 2024-04, released on April 4, 2024. The issues were responsibly disclosed by SonarSource on March 22, 2024.
The flaws, deemed Moderate in severity, are catalogued as follows:
CVE-2024-30270 (CVSS score: 6.7): A path traversal vulnerability within the “rspamd_maps()” function. This flaw allows a threat actor to execute arbitrary commands on the server by overwriting any modifiable file accessible to the “www-data” user.
CVE-2024-31204 (CVSS score: 6.8): A cross-site scripting (XSS) vulnerability arising from the exception handling mechanism when not in DEV_MODE. The lack of sanitization or encoding of exception details, rendered into HTML and executed as JavaScript within the user’s browser, underpins this flaw.
The second vulnerability’s core issue lies in saving exception details without proper sanitization, rendering them into HTML, and subsequently executing them as JavaScript within users’ browsers.
Consequently, an attacker could exploit this scenario to inject malicious scripts into the admin panel by triggering exceptions with specially crafted input, effectively hijacking the session and performing privileged actions as an administrator.
In essence, by leveraging both vulnerabilities, a malicious actor could commandeer accounts on a Mailcow server, gaining access to sensitive data and executing commands.
In a hypothetical attack scenario, an assailant could craft an HTML email containing a CSS background image loaded from a remote URL, utilizing it to trigger the execution of an XSS payload.
“An attacker can amalgamate both vulnerabilities to execute arbitrary code on the admin panel server of a vulnerable Mailcow instance,” stated Paul Gerste, a vulnerability researcher at SonarSource.
“The prerequisite is that an admin user views a malicious email while logged into the admin panel. The victim does not need to click a link within the email or interact with the email in any other way; they only need to continue using the admin panel after viewing the email.”