Search criteria
40 vulnerabilities found for mailcow-dockerized by mailcow
CVE-2026-40878 (GCVE-0-2026-40878)
Vulnerability from nvd – Published: 2026-04-21 19:21 – Updated: 2026-04-22 13:39
VLAI?
Title
mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.twig`, relying on Twig's default HTML auto-escaping instead of the context-appropriate `js` escaping strategy. In addition, the `query_string()` Twig helper merges all current `$_GET` parameters into the language-switching links on the login page, so attacker-supplied parameters are reflected and preserved across navigation. Version 2026-03b fixes the vulnerability.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2026-03b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T13:39:14.669308Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:39:34.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2026-03b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER[\u0027REQUEST_URI\u0027]` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.twig`, relying on Twig\u0027s default HTML auto-escaping instead of the context-appropriate `js` escaping strategy. In addition, the `query_string()` Twig helper merges all current `$_GET` parameters into the language-switching links on the login page, so attacker-supplied parameters are reflected and preserved across navigation. Version 2026-03b fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:21:56.837Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-xv9r-j862-5hqf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-xv9r-j862-5hqf"
}
],
"source": {
"advisory": "GHSA-xv9r-j862-5hqf",
"discovery": "UNKNOWN"
},
"title": "mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40878",
"datePublished": "2026-04-21T19:21:56.837Z",
"dateReserved": "2026-04-15T15:57:41.719Z",
"dateUpdated": "2026-04-22T13:39:34.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40875 (GCVE-0-2026-40875)
Vulnerability from nvd – Published: 2026-04-21 19:19 – Updated: 2026-04-21 20:36
VLAI?
Title
mailcow: dockerized vulnerable to stored XSS in user login history real_rip
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject HTML/JS into this field. This Self-XSS can be exploited by a Login CSRF to force the victim into the attacker's account, and then read emails in a previous browser tab. Version 2026-03b fixes the vulnerability.
Severity ?
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2026-03b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40875",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T19:53:02.686540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T20:36:24.334Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jprq-w83q-q62h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2026-03b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard\u0027s \"Seen successful connections\" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject HTML/JS into this field. This Self-XSS can be exploited by a Login CSRF to force the victim into the attacker\u0027s account, and then read emails in a previous browser tab. Version 2026-03b fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:19:55.768Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jprq-w83q-q62h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jprq-w83q-q62h"
}
],
"source": {
"advisory": "GHSA-jprq-w83q-q62h",
"discovery": "UNKNOWN"
},
"title": "mailcow: dockerized vulnerable to stored XSS in user login history real_rip"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40875",
"datePublished": "2026-04-21T19:19:55.768Z",
"dateReserved": "2026-04-15T15:57:41.718Z",
"dateUpdated": "2026-04-21T20:36:24.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40874 (GCVE-0-2026-40874)
Vulnerability from nvd – Published: 2026-04-21 19:17 – Updated: 2026-04-21 19:53
VLAI?
Title
mailcow: dockerized missing authorization on Forwarding Hosts delete action
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied for edit/add actions, but deletion can still significantly disrupt the mail service. Version 2026-03b fixes the vulnerability.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2026-03b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40874",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T19:53:27.951156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:53:36.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2026-03b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied for edit/add actions, but deletion can still significantly disrupt the mail service. Version 2026-03b fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:17:45.306Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jjxh-rm7p-hjc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jjxh-rm7p-hjc3"
}
],
"source": {
"advisory": "GHSA-jjxh-rm7p-hjc3",
"discovery": "UNKNOWN"
},
"title": "mailcow: dockerized missing authorization on Forwarding Hosts delete action"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40874",
"datePublished": "2026-04-21T19:17:45.306Z",
"dateReserved": "2026-04-15T15:57:41.718Z",
"dateUpdated": "2026-04-21T19:53:36.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40873 (GCVE-0-2026-40873)
Vulnerability from nvd – Published: 2026-04-21 19:15 – Updated: 2026-04-21 19:39
VLAI?
Title
mailcow: dockerized vulnerable to stored XSS in Quarantine attachment filenames
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScript executes in their browser, taking over their account. Version 2026-03b fixes the vulnerability.
Severity ?
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2026-03b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40873",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T19:39:14.654574Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:39:19.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-2xjc-rg88-jvpp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2026-03b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScript executes in their browser, taking over their account. Version 2026-03b fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:15:39.046Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-2xjc-rg88-jvpp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-2xjc-rg88-jvpp"
}
],
"source": {
"advisory": "GHSA-2xjc-rg88-jvpp",
"discovery": "UNKNOWN"
},
"title": "mailcow: dockerized vulnerable to stored XSS in Quarantine attachment filenames"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40873",
"datePublished": "2026-04-21T19:15:39.046Z",
"dateReserved": "2026-04-15T15:57:41.718Z",
"dateUpdated": "2026-04-21T19:39:19.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40872 (GCVE-0-2026-40872)
Vulnerability from nvd – Published: 2026-04-21 19:14 – Updated: 2026-04-22 13:37
VLAI?
Title
mailcow: dockerized vulnerable to stored XSS in autodiscover logs email address field
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted EMailAddress containing HTML/JS, the payload is stored in Redis and executed when an admin views the Autodiscover logs. Version 2026-03b fixes the vulnerability.
Severity ?
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2026-03b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40872",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T13:36:53.186880Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:37:20.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-f9xf-vc72-rcgm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2026-03b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard\u0027s Autodiscover logs render the EMailAddress value (logged as the \"user\" field) without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted EMailAddress containing HTML/JS, the payload is stored in Redis and executed when an admin views the Autodiscover logs. Version 2026-03b fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:14:45.309Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-f9xf-vc72-rcgm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-f9xf-vc72-rcgm"
}
],
"source": {
"advisory": "GHSA-f9xf-vc72-rcgm",
"discovery": "UNKNOWN"
},
"title": "mailcow: dockerized vulnerable to stored XSS in autodiscover logs email address field"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40872",
"datePublished": "2026-04-21T19:14:45.309Z",
"dateReserved": "2026-04-15T15:57:41.718Z",
"dateUpdated": "2026-04-22T13:37:20.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40871 (GCVE-0-2026-40871)
Vulnerability from nvd – Published: 2026-04-21 19:12 – Updated: 2026-04-21 20:36
VLAI?
Title
mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without validation or sanitization. This value is later used by quarantine_notify.py, which constructs SQL queries using unsafe % string formatting instead of parameterized queries. This results in a delayed (second-order) SQL injection when the quarantine notification job executes, allowing an attacker to inject arbitrary SQL. Using a UNION SELECT, sensitive data (e.g., admin credentials) can be exfiltrated and rendered inside quarantine notification emails. Version 2026-03b fixes the vulnerability.
Severity ?
7.2 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2026-03b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40871",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T19:53:34.653739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T20:36:30.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-r8fq-wrfm-cj2q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2026-03b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without validation or sanitization. This value is later used by quarantine_notify.py, which constructs SQL queries using unsafe % string formatting instead of parameterized queries. This results in a delayed (second-order) SQL injection when the quarantine notification job executes, allowing an attacker to inject arbitrary SQL. Using a UNION SELECT, sensitive data (e.g., admin credentials) can be exfiltrated and rendered inside quarantine notification emails. Version 2026-03b fixes the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-564",
"description": "CWE-564: SQL Injection: Hibernate",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:12:52.781Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-r8fq-wrfm-cj2q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-r8fq-wrfm-cj2q"
}
],
"source": {
"advisory": "GHSA-r8fq-wrfm-cj2q",
"discovery": "UNKNOWN"
},
"title": "mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40871",
"datePublished": "2026-04-21T19:12:52.781Z",
"dateReserved": "2026-04-15T15:57:41.718Z",
"dateUpdated": "2026-04-21T20:36:30.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53909 (GCVE-0-2025-53909)
Vulnerability from nvd – Published: 2025-07-17 13:47 – Updated: 2025-07-17 19:54
VLAI?
Title
mailcow: dockerized vulnerable to SSTI in Quota and Quarantine Notification Template
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template rendering engine allows template expressions that may be abused to execute code in certain contexts. The issue requires admin-level access to mailcow UI to configure templates, which are automatically rendered during normal system operation. Version 2025-07 contains a patch for the issue.
Severity ?
9.1 (Critical)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://github.com/mailcow/mailcow-dockerized/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2025-07
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53909",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-17T19:54:45.486639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T19:54:59.975Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2025-07"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template rendering engine allows template expressions that may be abused to execute code in certain contexts. The issue requires admin-level access to mailcow UI to configure templates, which are automatically rendered during normal system operation. Version 2025-07 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T13:47:26.179Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-8p7g-6cjj-wr9m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-8p7g-6cjj-wr9m"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/8c5f6c03214a4b2bdbf3c78932f860eee949012b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/8c5f6c03214a4b2bdbf3c78932f860eee949012b"
}
],
"source": {
"advisory": "GHSA-8p7g-6cjj-wr9m",
"discovery": "UNKNOWN"
},
"title": "mailcow: dockerized vulnerable to SSTI in Quota and Quarantine Notification Template"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53909",
"datePublished": "2025-07-17T13:47:26.179Z",
"dateReserved": "2025-07-11T19:05:23.827Z",
"dateUpdated": "2025-07-17T19:54:59.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25198 (GCVE-0-2025-25198)
Vulnerability from nvd – Published: 2025-02-12 17:46 – Updated: 2025-02-12 19:52
VLAI?
Title
mailcow: dockerized vulnerable to password reset poisoning
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -> Configuration -> Options -> Password Settings.
Severity ?
7.1 (High)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2025-01a
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T19:51:49.806238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:52:25.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2025-01a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow\u0027s password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -\u003e Configuration -\u003e Options -\u003e Password Settings."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T17:46:06.491Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-3mvx-qw4r-fcqf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-3mvx-qw4r-fcqf"
}
],
"source": {
"advisory": "GHSA-3mvx-qw4r-fcqf",
"discovery": "UNKNOWN"
},
"title": "mailcow: dockerized vulnerable to password reset poisoning"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25198",
"datePublished": "2025-02-12T17:46:06.491Z",
"dateReserved": "2025-02-03T19:30:53.400Z",
"dateUpdated": "2025-02-12T19:52:25.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41960 (GCVE-0-2024-41960)
Vulnerability from nvd – Published: 2024-08-05 19:59 – Updated: 2024-08-05 20:47
VLAI?
Title
Cross-site Scripting (XSS) via Relay Hosts Configuration in mailcow: dockerized
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to execute arbitrary scripts in the context of the user's browser. This could lead to data theft, or further exploitation. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://github.com/mailcow/mailcow-dockerized/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2024-07
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T20:47:18.051530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:47:28.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2024-07"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to execute arbitrary scripts in the context of the user\u0027s browser. This could lead to data theft, or further exploitation. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T19:59:48.492Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jpp8-rhg6-4vvv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jpp8-rhg6-4vvv"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/efb2572f0fa57628ad98a76a4ae884a10cac0a1a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/efb2572f0fa57628ad98a76a4ae884a10cac0a1a"
}
],
"source": {
"advisory": "GHSA-jpp8-rhg6-4vvv",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) via Relay Hosts Configuration in mailcow: dockerized"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41960",
"datePublished": "2024-08-05T19:59:48.492Z",
"dateReserved": "2024-07-24T16:51:40.951Z",
"dateUpdated": "2024-08-05T20:47:28.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41959 (GCVE-0-2024-41959)
Vulnerability from nvd – Published: 2024-08-05 19:59 – Updated: 2024-08-05 20:24
VLAI?
Title
Cross-site Scripting (XSS) via API Logs in mailcow: dockerized
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of the user's browser. This could lead to unauthorized actions, data theft, or further exploitation of the affected system. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
7.6 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://github.com/mailcow/mailcow-dockerized/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2024-07
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41959",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T20:24:15.518061Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:24:22.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2024-07"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of the user\u0027s browser. This could lead to unauthorized actions, data theft, or further exploitation of the affected system. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:00:03.016Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-v3r3-8f69-ph29",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-v3r3-8f69-ph29"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/66aa28b5de282fc037e0d2f02fbdc84539b614a1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/66aa28b5de282fc037e0d2f02fbdc84539b614a1"
}
],
"source": {
"advisory": "GHSA-v3r3-8f69-ph29",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) via API Logs in mailcow: dockerized"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41959",
"datePublished": "2024-08-05T19:59:46.318Z",
"dateReserved": "2024-07-24T16:51:40.951Z",
"dateUpdated": "2024-08-05T20:24:22.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41958 (GCVE-0-2024-41958)
Vulnerability from nvd – Published: 2024-08-05 19:59 – Updated: 2024-08-07 20:42
VLAI?
Title
Two-Factor Authentication (2FA) Bypass in mailcow: dockerized
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. A vulnerability has been discovered in the two-factor authentication (2FA) mechanism. This flaw allows an authenticated attacker to bypass the 2FA protection, enabling unauthorized access to other accounts that are otherwise secured with 2FA. To exploit this vulnerability, the attacker must first have access to an account within the system and possess the credentials of the target account that has 2FA enabled. By leveraging these credentials, the attacker can circumvent the 2FA process and gain access to the protected account. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
6.6 (Medium)
CWE
- CWE-697 - Incorrect Comparison
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://github.com/mailcow/mailcow-dockerized/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2024-07
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41958",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T20:42:09.504121Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T20:42:37.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2024-07"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. A vulnerability has been discovered in the two-factor authentication (2FA) mechanism. This flaw allows an authenticated attacker to bypass the 2FA protection, enabling unauthorized access to other accounts that are otherwise secured with 2FA. To exploit this vulnerability, the attacker must first have access to an account within the system and possess the credentials of the target account that has 2FA enabled. By leveraging these credentials, the attacker can circumvent the 2FA process and gain access to the protected account. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697: Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:00:14.270Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-4fcc-q245-qqgg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-4fcc-q245-qqgg"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/f33d82ffc11ed3438609d4e7a6baa78cb3305bc3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/f33d82ffc11ed3438609d4e7a6baa78cb3305bc3"
}
],
"source": {
"advisory": "GHSA-4fcc-q245-qqgg",
"discovery": "UNKNOWN"
},
"title": "Two-Factor Authentication (2FA) Bypass in mailcow: dockerized"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41958",
"datePublished": "2024-08-05T19:59:44.744Z",
"dateReserved": "2024-07-24T16:51:40.950Z",
"dateUpdated": "2024-08-07T20:42:37.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31204 (GCVE-0-2024-31204)
Vulnerability from nvd – Published: 2024-04-04 20:37 – Updated: 2024-12-12 20:53
VLAI?
Title
mailcow Cross-site Scripting Vulnerability via Exception Handler
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE. The system saves exception details into a session array without proper sanitization or encoding. These details are later rendered into HTML and executed in a JavaScript block within the user's browser, without adequate escaping of HTML entities. This flaw allows for Cross-Site Scripting (XSS) attacks, where attackers can inject malicious scripts into the admin panel by triggering exceptions with controlled input. The exploitation method involves using any function that might throw an exception with user-controllable argument. This issue can lead to session hijacking and unauthorized administrative actions, posing a significant security risk. Version 2024-04 contains a fix for the issue.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://www.sonarsource.com/blog/remote-code-exec… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2024-04
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mailcow:mailcow_dockerized:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mailcow_dockerized",
"vendor": "mailcow",
"versions": [
{
"lessThan": "2024-04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31204",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T17:48:22.693407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T17:50:57.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-19T07:47:48.853Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-fp6h-63w4-5hcm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-fp6h-63w4-5hcm"
},
{
"url": "https://www.vicarius.io/vsociety/posts/mailcow-with-xss-and-path-traversal-cve-2024-31204-and-cve-2024-30270"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2024-04"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE. The system saves exception details into a session array without proper sanitization or encoding. These details are later rendered into HTML and executed in a JavaScript block within the user\u0027s browser, without adequate escaping of HTML entities. This flaw allows for Cross-Site Scripting (XSS) attacks, where attackers can inject malicious scripts into the admin panel by triggering exceptions with controlled input. The exploitation method involves using any function that might throw an exception with user-controllable argument. This issue can lead to session hijacking and unauthorized administrative actions, posing a significant security risk. Version 2024-04 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T20:53:23.243Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-fp6h-63w4-5hcm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-fp6h-63w4-5hcm"
},
{
"name": "https://www.sonarsource.com/blog/remote-code-execution-in-mailcow-always-sanitize-error-messages",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/remote-code-execution-in-mailcow-always-sanitize-error-messages"
}
],
"source": {
"advisory": "GHSA-fp6h-63w4-5hcm",
"discovery": "UNKNOWN"
},
"title": "mailcow Cross-site Scripting Vulnerability via Exception Handler"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31204",
"datePublished": "2024-04-04T20:37:45.155Z",
"dateReserved": "2024-03-29T14:16:31.899Z",
"dateUpdated": "2024-12-12T20:53:23.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30270 (GCVE-0-2024-30270)
Vulnerability from nvd – Published: 2024-04-04 20:27 – Updated: 2024-12-12 20:52
VLAI?
Title
mailcow Path Traversal and Arbitrary Code Execution Vulnerability
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability is a combination of path traversal and arbitrary code execution, specifically targeting the `rspamd_maps()` function. It allows authenticated admin users to overwrite any file writable by the www-data user by exploiting improper path validation. The exploit chain can lead to the execution of arbitrary commands on the server. Version 2024-04 contains a patch for the issue.
Severity ?
6.2 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://mailcow.email/posts/2024/release-2024-04 | x_refsource_MISC |
| https://www.sonarsource.com/blog/remote-code-exec… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2024-04
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-05T18:05:43.220610Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:38:21.058Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-19T07:47:49.385Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-4m8r-87gc-3vvp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-4m8r-87gc-3vvp"
},
{
"name": "https://mailcow.email/posts/2024/release-2024-04",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mailcow.email/posts/2024/release-2024-04"
},
{
"url": "https://www.vicarius.io/vsociety/posts/mailcow-with-xss-and-path-traversal-cve-2024-31204-and-cve-2024-30270"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2024-04"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability is a combination of path traversal and arbitrary code execution, specifically targeting the `rspamd_maps()` function. It allows authenticated admin users to overwrite any file writable by the www-data user by exploiting improper path validation. The exploit chain can lead to the execution of arbitrary commands on the server. Version 2024-04 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T20:52:59.248Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-4m8r-87gc-3vvp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-4m8r-87gc-3vvp"
},
{
"name": "https://mailcow.email/posts/2024/release-2024-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://mailcow.email/posts/2024/release-2024-04"
},
{
"name": "https://www.sonarsource.com/blog/remote-code-execution-in-mailcow-always-sanitize-error-messages",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/remote-code-execution-in-mailcow-always-sanitize-error-messages"
}
],
"source": {
"advisory": "GHSA-4m8r-87gc-3vvp",
"discovery": "UNKNOWN"
},
"title": "mailcow Path Traversal and Arbitrary Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-30270",
"datePublished": "2024-04-04T20:27:40.370Z",
"dateReserved": "2024-03-26T12:52:00.935Z",
"dateUpdated": "2024-12-12T20:52:59.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24760 (GCVE-0-2024-24760)
Vulnerability from nvd – Published: 2024-02-02 15:28 – Updated: 2025-05-15 19:49
VLAI?
Title
Mailcow Docker Container Exposure to Local Network
Summary
mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions < 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even when the port is bound to 127.0.0.1. The vulnerability has been addressed by implementing additional iptables/nftables rules. These rules drop packets for Docker containers on ports 3306, 6379, 8983, and 12345, where the input interface is not `br-mailcow` and the output interface is `br-mailcow`.
Severity ?
8.8 (High)
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://github.com/mailcow/mailcow-dockerized/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2024-01c
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.777Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-gmpj-5xcm-xxx6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-gmpj-5xcm-xxx6"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/087481ac12bfa5dd715f3630f0b1697be94f7e88",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/087481ac12bfa5dd715f3630f0b1697be94f7e88"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:46:19.747960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T19:49:55.480Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2024-01c"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions \u003c 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even when the port is bound to 127.0.0.1. The vulnerability has been addressed by implementing additional iptables/nftables rules. These rules drop packets for Docker containers on ports 3306, 6379, 8983, and 12345, where the input interface is not `br-mailcow` and the output interface is `br-mailcow`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-02T15:28:22.086Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-gmpj-5xcm-xxx6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-gmpj-5xcm-xxx6"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/087481ac12bfa5dd715f3630f0b1697be94f7e88",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/087481ac12bfa5dd715f3630f0b1697be94f7e88"
}
],
"source": {
"advisory": "GHSA-gmpj-5xcm-xxx6",
"discovery": "UNKNOWN"
},
"title": "Mailcow Docker Container Exposure to Local Network"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24760",
"datePublished": "2024-02-02T15:28:22.086Z",
"dateReserved": "2024-01-29T20:51:26.010Z",
"dateUpdated": "2025-05-15T19:49:55.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23824 (GCVE-0-2024-23824)
Vulnerability from nvd – Published: 2024-02-02 15:18 – Updated: 2025-06-17 13:52
VLAI?
Title
mailcow ipixel flood attack leads to Denial of Service in admin page
Summary
mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is tested on the versions 2023-12a and prior and patched in version 2024-01.
Severity ?
4.7 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://github.com/mailcow/mailcow-dockerized/com… | x_refsource_MISC |
| https://github.com/0xbunniee/MailCow-Pixel-Flood-Attack | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2024-01
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:13:08.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-45rv-3c5p-w4h7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-45rv-3c5p-w4h7"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/7f6f7e0e9ff608618e5b144bcf18d279610aa3ed",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/7f6f7e0e9ff608618e5b144bcf18d279610aa3ed"
},
{
"name": "https://github.com/0xbunniee/MailCow-Pixel-Flood-Attack",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/0xbunniee/MailCow-Pixel-Flood-Attack"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23824",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T19:30:43.358829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T13:52:12.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2024-01"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn\u0027t respond in the admin page. It is tested on the versions 2023-12a and prior and patched in version 2024-01."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-02T15:18:55.300Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-45rv-3c5p-w4h7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-45rv-3c5p-w4h7"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/7f6f7e0e9ff608618e5b144bcf18d279610aa3ed",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/7f6f7e0e9ff608618e5b144bcf18d279610aa3ed"
},
{
"name": "https://github.com/0xbunniee/MailCow-Pixel-Flood-Attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/0xbunniee/MailCow-Pixel-Flood-Attack"
}
],
"source": {
"advisory": "GHSA-45rv-3c5p-w4h7",
"discovery": "UNKNOWN"
},
"title": "mailcow ipixel flood attack leads to Denial of Service in admin page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23824",
"datePublished": "2024-02-02T15:18:55.300Z",
"dateReserved": "2024-01-22T22:23:54.338Z",
"dateUpdated": "2025-06-17T13:52:12.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-40878 (GCVE-0-2026-40878)
Vulnerability from cvelistv5 – Published: 2026-04-21 19:21 – Updated: 2026-04-22 13:39
VLAI?
Title
mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.twig`, relying on Twig's default HTML auto-escaping instead of the context-appropriate `js` escaping strategy. In addition, the `query_string()` Twig helper merges all current `$_GET` parameters into the language-switching links on the login page, so attacker-supplied parameters are reflected and preserved across navigation. Version 2026-03b fixes the vulnerability.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2026-03b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T13:39:14.669308Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:39:34.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2026-03b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the mailcow web interface passes the raw `$_SERVER[\u0027REQUEST_URI\u0027]` to Twig as a global template variable and renders it inside a JavaScript string literal in the `setLang()` helper of `base.twig`, relying on Twig\u0027s default HTML auto-escaping instead of the context-appropriate `js` escaping strategy. In addition, the `query_string()` Twig helper merges all current `$_GET` parameters into the language-switching links on the login page, so attacker-supplied parameters are reflected and preserved across navigation. Version 2026-03b fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:21:56.837Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-xv9r-j862-5hqf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-xv9r-j862-5hqf"
}
],
"source": {
"advisory": "GHSA-xv9r-j862-5hqf",
"discovery": "UNKNOWN"
},
"title": "mailcow-dockerized Login Page has Reflected Parameter Injection / Wrong-Context XSS Escaping"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40878",
"datePublished": "2026-04-21T19:21:56.837Z",
"dateReserved": "2026-04-15T15:57:41.719Z",
"dateUpdated": "2026-04-22T13:39:34.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40875 (GCVE-0-2026-40875)
Vulnerability from cvelistv5 – Published: 2026-04-21 19:19 – Updated: 2026-04-21 20:36
VLAI?
Title
mailcow: dockerized vulnerable to stored XSS in user login history real_rip
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard's "Seen successful connections" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject HTML/JS into this field. This Self-XSS can be exploited by a Login CSRF to force the victim into the attacker's account, and then read emails in a previous browser tab. Version 2026-03b fixes the vulnerability.
Severity ?
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2026-03b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40875",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T19:53:02.686540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T20:36:24.334Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jprq-w83q-q62h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2026-03b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the user dashboard\u0027s \"Seen successful connections\" (login history) renders the client IP from login logs without HTML escaping. Because the server trusts the X-Real-IP header as the source IP for logging, an attacker can inject HTML/JS into this field. This Self-XSS can be exploited by a Login CSRF to force the victim into the attacker\u0027s account, and then read emails in a previous browser tab. Version 2026-03b fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:19:55.768Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jprq-w83q-q62h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jprq-w83q-q62h"
}
],
"source": {
"advisory": "GHSA-jprq-w83q-q62h",
"discovery": "UNKNOWN"
},
"title": "mailcow: dockerized vulnerable to stored XSS in user login history real_rip"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40875",
"datePublished": "2026-04-21T19:19:55.768Z",
"dateReserved": "2026-04-15T15:57:41.718Z",
"dateUpdated": "2026-04-21T20:36:24.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40874 (GCVE-0-2026-40874)
Vulnerability from cvelistv5 – Published: 2026-04-21 19:17 – Updated: 2026-04-21 19:53
VLAI?
Title
mailcow: dockerized missing authorization on Forwarding Hosts delete action
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied for edit/add actions, but deletion can still significantly disrupt the mail service. Version 2026-03b fixes the vulnerability.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2026-03b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40874",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T19:53:27.951156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:53:36.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2026-03b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes place when deleting Forwarding Hosts with `/api/v1/delete/fwdhost`. Any authenticated user can call this API. Checks are only applied for edit/add actions, but deletion can still significantly disrupt the mail service. Version 2026-03b fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:17:45.306Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jjxh-rm7p-hjc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jjxh-rm7p-hjc3"
}
],
"source": {
"advisory": "GHSA-jjxh-rm7p-hjc3",
"discovery": "UNKNOWN"
},
"title": "mailcow: dockerized missing authorization on Forwarding Hosts delete action"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40874",
"datePublished": "2026-04-21T19:17:45.306Z",
"dateReserved": "2026-04-15T15:57:41.718Z",
"dateUpdated": "2026-04-21T19:53:36.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40873 (GCVE-0-2026-40873)
Vulnerability from cvelistv5 – Published: 2026-04-21 19:15 – Updated: 2026-04-21 19:39
VLAI?
Title
mailcow: dockerized vulnerable to stored XSS in Quarantine attachment filenames
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScript executes in their browser, taking over their account. Version 2026-03b fixes the vulnerability.
Severity ?
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2026-03b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40873",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T19:39:14.654574Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:39:19.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-2xjc-rg88-jvpp"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2026-03b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the Quarantine details modal injects attachment filenames into HTML without escaping, allowing arbitrary HTML/JS execution. An attacker can deliver an email with a crafted attachment name so that when an admin views the quarantine item, JavaScript executes in their browser, taking over their account. Version 2026-03b fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:15:39.046Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-2xjc-rg88-jvpp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-2xjc-rg88-jvpp"
}
],
"source": {
"advisory": "GHSA-2xjc-rg88-jvpp",
"discovery": "UNKNOWN"
},
"title": "mailcow: dockerized vulnerable to stored XSS in Quarantine attachment filenames"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40873",
"datePublished": "2026-04-21T19:15:39.046Z",
"dateReserved": "2026-04-15T15:57:41.718Z",
"dateUpdated": "2026-04-21T19:39:19.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40872 (GCVE-0-2026-40872)
Vulnerability from cvelistv5 – Published: 2026-04-21 19:14 – Updated: 2026-04-22 13:37
VLAI?
Title
mailcow: dockerized vulnerable to stored XSS in autodiscover logs email address field
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard's Autodiscover logs render the EMailAddress value (logged as the "user" field) without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted EMailAddress containing HTML/JS, the payload is stored in Redis and executed when an admin views the Autodiscover logs. Version 2026-03b fixes the vulnerability.
Severity ?
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2026-03b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40872",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T13:36:53.186880Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:37:20.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-f9xf-vc72-rcgm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2026-03b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, the admin dashboard\u0027s Autodiscover logs render the EMailAddress value (logged as the \"user\" field) without HTML escaping. By submitting an unauthenticated Autodiscover request with a crafted EMailAddress containing HTML/JS, the payload is stored in Redis and executed when an admin views the Autodiscover logs. Version 2026-03b fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:14:45.309Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-f9xf-vc72-rcgm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-f9xf-vc72-rcgm"
}
],
"source": {
"advisory": "GHSA-f9xf-vc72-rcgm",
"discovery": "UNKNOWN"
},
"title": "mailcow: dockerized vulnerable to stored XSS in autodiscover logs email address field"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40872",
"datePublished": "2026-04-21T19:14:45.309Z",
"dateReserved": "2026-04-15T15:57:41.718Z",
"dateUpdated": "2026-04-22T13:37:20.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40871 (GCVE-0-2026-40871)
Vulnerability from cvelistv5 – Published: 2026-04-21 19:12 – Updated: 2026-04-21 20:36
VLAI?
Title
mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without validation or sanitization. This value is later used by quarantine_notify.py, which constructs SQL queries using unsafe % string formatting instead of parameterized queries. This results in a delayed (second-order) SQL injection when the quarantine notification job executes, allowing an attacker to inject arbitrary SQL. Using a UNION SELECT, sensitive data (e.g., admin credentials) can be exfiltrated and rendered inside quarantine notification emails. Version 2026-03b fixes the vulnerability.
Severity ?
7.2 (High)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2026-03b
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40871",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T19:53:34.653739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T20:36:30.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-r8fq-wrfm-cj2q"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2026-03b"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. Versions prior to 2026-03b have a second-order SQL injection vulnerability in the quarantine_category field via the Mailcow API. The /api/v1/add/mailbox endpoint stores quarantine_category without validation or sanitization. This value is later used by quarantine_notify.py, which constructs SQL queries using unsafe % string formatting instead of parameterized queries. This results in a delayed (second-order) SQL injection when the quarantine notification job executes, allowing an attacker to inject arbitrary SQL. Using a UNION SELECT, sensitive data (e.g., admin credentials) can be exfiltrated and rendered inside quarantine notification emails. Version 2026-03b fixes the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-564",
"description": "CWE-564: SQL Injection: Hibernate",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:12:52.781Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-r8fq-wrfm-cj2q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-r8fq-wrfm-cj2q"
}
],
"source": {
"advisory": "GHSA-r8fq-wrfm-cj2q",
"discovery": "UNKNOWN"
},
"title": "mailcow: dockerized vulnerable to Second Order SQL Injection in quarantine category via API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40871",
"datePublished": "2026-04-21T19:12:52.781Z",
"dateReserved": "2026-04-15T15:57:41.718Z",
"dateUpdated": "2026-04-21T20:36:30.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53909 (GCVE-0-2025-53909)
Vulnerability from cvelistv5 – Published: 2025-07-17 13:47 – Updated: 2025-07-17 19:54
VLAI?
Title
mailcow: dockerized vulnerable to SSTI in Quota and Quarantine Notification Template
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template rendering engine allows template expressions that may be abused to execute code in certain contexts. The issue requires admin-level access to mailcow UI to configure templates, which are automatically rendered during normal system operation. Version 2025-07 contains a patch for the issue.
Severity ?
9.1 (Critical)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://github.com/mailcow/mailcow-dockerized/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2025-07
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53909",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-17T19:54:45.486639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T19:54:59.975Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2025-07"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template rendering engine allows template expressions that may be abused to execute code in certain contexts. The issue requires admin-level access to mailcow UI to configure templates, which are automatically rendered during normal system operation. Version 2025-07 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-17T13:47:26.179Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-8p7g-6cjj-wr9m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-8p7g-6cjj-wr9m"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/8c5f6c03214a4b2bdbf3c78932f860eee949012b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/8c5f6c03214a4b2bdbf3c78932f860eee949012b"
}
],
"source": {
"advisory": "GHSA-8p7g-6cjj-wr9m",
"discovery": "UNKNOWN"
},
"title": "mailcow: dockerized vulnerable to SSTI in Quota and Quarantine Notification Template"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53909",
"datePublished": "2025-07-17T13:47:26.179Z",
"dateReserved": "2025-07-11T19:05:23.827Z",
"dateUpdated": "2025-07-17T19:54:59.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25198 (GCVE-0-2025-25198)
Vulnerability from cvelistv5 – Published: 2025-02-12 17:46 – Updated: 2025-02-12 19:52
VLAI?
Title
mailcow: dockerized vulnerable to password reset poisoning
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -> Configuration -> Options -> Password Settings.
Severity ?
7.1 (High)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2025-01a
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-12T19:51:49.806238Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:52:25.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2025-01a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow\u0027s password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -\u003e Configuration -\u003e Options -\u003e Password Settings."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T17:46:06.491Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-3mvx-qw4r-fcqf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-3mvx-qw4r-fcqf"
}
],
"source": {
"advisory": "GHSA-3mvx-qw4r-fcqf",
"discovery": "UNKNOWN"
},
"title": "mailcow: dockerized vulnerable to password reset poisoning"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25198",
"datePublished": "2025-02-12T17:46:06.491Z",
"dateReserved": "2025-02-03T19:30:53.400Z",
"dateUpdated": "2025-02-12T19:52:25.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41960 (GCVE-0-2024-41960)
Vulnerability from cvelistv5 – Published: 2024-08-05 19:59 – Updated: 2024-08-05 20:47
VLAI?
Title
Cross-site Scripting (XSS) via Relay Hosts Configuration in mailcow: dockerized
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to execute arbitrary scripts in the context of the user's browser. This could lead to data theft, or further exploitation. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://github.com/mailcow/mailcow-dockerized/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2024-07
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T20:47:18.051530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:47:28.482Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2024-07"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to execute arbitrary scripts in the context of the user\u0027s browser. This could lead to data theft, or further exploitation. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T19:59:48.492Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jpp8-rhg6-4vvv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jpp8-rhg6-4vvv"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/efb2572f0fa57628ad98a76a4ae884a10cac0a1a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/efb2572f0fa57628ad98a76a4ae884a10cac0a1a"
}
],
"source": {
"advisory": "GHSA-jpp8-rhg6-4vvv",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) via Relay Hosts Configuration in mailcow: dockerized"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41960",
"datePublished": "2024-08-05T19:59:48.492Z",
"dateReserved": "2024-07-24T16:51:40.951Z",
"dateUpdated": "2024-08-05T20:47:28.482Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41959 (GCVE-0-2024-41959)
Vulnerability from cvelistv5 – Published: 2024-08-05 19:59 – Updated: 2024-08-05 20:24
VLAI?
Title
Cross-site Scripting (XSS) via API Logs in mailcow: dockerized
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of the user's browser. This could lead to unauthorized actions, data theft, or further exploitation of the affected system. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
7.6 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://github.com/mailcow/mailcow-dockerized/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2024-07
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41959",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-05T20:24:15.518061Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:24:22.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2024-07"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of the user\u0027s browser. This could lead to unauthorized actions, data theft, or further exploitation of the affected system. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:00:03.016Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-v3r3-8f69-ph29",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-v3r3-8f69-ph29"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/66aa28b5de282fc037e0d2f02fbdc84539b614a1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/66aa28b5de282fc037e0d2f02fbdc84539b614a1"
}
],
"source": {
"advisory": "GHSA-v3r3-8f69-ph29",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) via API Logs in mailcow: dockerized"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41959",
"datePublished": "2024-08-05T19:59:46.318Z",
"dateReserved": "2024-07-24T16:51:40.951Z",
"dateUpdated": "2024-08-05T20:24:22.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41958 (GCVE-0-2024-41958)
Vulnerability from cvelistv5 – Published: 2024-08-05 19:59 – Updated: 2024-08-07 20:42
VLAI?
Title
Two-Factor Authentication (2FA) Bypass in mailcow: dockerized
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. A vulnerability has been discovered in the two-factor authentication (2FA) mechanism. This flaw allows an authenticated attacker to bypass the 2FA protection, enabling unauthorized access to other accounts that are otherwise secured with 2FA. To exploit this vulnerability, the attacker must first have access to an account within the system and possess the credentials of the target account that has 2FA enabled. By leveraging these credentials, the attacker can circumvent the 2FA process and gain access to the protected account. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
6.6 (Medium)
CWE
- CWE-697 - Incorrect Comparison
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://github.com/mailcow/mailcow-dockerized/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2024-07
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41958",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T20:42:09.504121Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T20:42:37.692Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2024-07"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. A vulnerability has been discovered in the two-factor authentication (2FA) mechanism. This flaw allows an authenticated attacker to bypass the 2FA protection, enabling unauthorized access to other accounts that are otherwise secured with 2FA. To exploit this vulnerability, the attacker must first have access to an account within the system and possess the credentials of the target account that has 2FA enabled. By leveraging these credentials, the attacker can circumvent the 2FA process and gain access to the protected account. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697: Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T20:00:14.270Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-4fcc-q245-qqgg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-4fcc-q245-qqgg"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/f33d82ffc11ed3438609d4e7a6baa78cb3305bc3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/f33d82ffc11ed3438609d4e7a6baa78cb3305bc3"
}
],
"source": {
"advisory": "GHSA-4fcc-q245-qqgg",
"discovery": "UNKNOWN"
},
"title": "Two-Factor Authentication (2FA) Bypass in mailcow: dockerized"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41958",
"datePublished": "2024-08-05T19:59:44.744Z",
"dateReserved": "2024-07-24T16:51:40.950Z",
"dateUpdated": "2024-08-07T20:42:37.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31204 (GCVE-0-2024-31204)
Vulnerability from cvelistv5 – Published: 2024-04-04 20:37 – Updated: 2024-12-12 20:53
VLAI?
Title
mailcow Cross-site Scripting Vulnerability via Exception Handler
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE. The system saves exception details into a session array without proper sanitization or encoding. These details are later rendered into HTML and executed in a JavaScript block within the user's browser, without adequate escaping of HTML entities. This flaw allows for Cross-Site Scripting (XSS) attacks, where attackers can inject malicious scripts into the admin panel by triggering exceptions with controlled input. The exploitation method involves using any function that might throw an exception with user-controllable argument. This issue can lead to session hijacking and unauthorized administrative actions, posing a significant security risk. Version 2024-04 contains a fix for the issue.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://www.sonarsource.com/blog/remote-code-exec… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2024-04
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mailcow:mailcow_dockerized:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mailcow_dockerized",
"vendor": "mailcow",
"versions": [
{
"lessThan": "2024-04",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31204",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T17:48:22.693407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T17:50:57.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-19T07:47:48.853Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-fp6h-63w4-5hcm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-fp6h-63w4-5hcm"
},
{
"url": "https://www.vicarius.io/vsociety/posts/mailcow-with-xss-and-path-traversal-cve-2024-31204-and-cve-2024-30270"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2024-04"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE. The system saves exception details into a session array without proper sanitization or encoding. These details are later rendered into HTML and executed in a JavaScript block within the user\u0027s browser, without adequate escaping of HTML entities. This flaw allows for Cross-Site Scripting (XSS) attacks, where attackers can inject malicious scripts into the admin panel by triggering exceptions with controlled input. The exploitation method involves using any function that might throw an exception with user-controllable argument. This issue can lead to session hijacking and unauthorized administrative actions, posing a significant security risk. Version 2024-04 contains a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T20:53:23.243Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-fp6h-63w4-5hcm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-fp6h-63w4-5hcm"
},
{
"name": "https://www.sonarsource.com/blog/remote-code-execution-in-mailcow-always-sanitize-error-messages",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/remote-code-execution-in-mailcow-always-sanitize-error-messages"
}
],
"source": {
"advisory": "GHSA-fp6h-63w4-5hcm",
"discovery": "UNKNOWN"
},
"title": "mailcow Cross-site Scripting Vulnerability via Exception Handler"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31204",
"datePublished": "2024-04-04T20:37:45.155Z",
"dateReserved": "2024-03-29T14:16:31.899Z",
"dateUpdated": "2024-12-12T20:53:23.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30270 (GCVE-0-2024-30270)
Vulnerability from cvelistv5 – Published: 2024-04-04 20:27 – Updated: 2024-12-12 20:52
VLAI?
Title
mailcow Path Traversal and Arbitrary Code Execution Vulnerability
Summary
mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability is a combination of path traversal and arbitrary code execution, specifically targeting the `rspamd_maps()` function. It allows authenticated admin users to overwrite any file writable by the www-data user by exploiting improper path validation. The exploit chain can lead to the execution of arbitrary commands on the server. Version 2024-04 contains a patch for the issue.
Severity ?
6.2 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://mailcow.email/posts/2024/release-2024-04 | x_refsource_MISC |
| https://www.sonarsource.com/blog/remote-code-exec… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2024-04
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-05T18:05:43.220610Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:38:21.058Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-19T07:47:49.385Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-4m8r-87gc-3vvp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-4m8r-87gc-3vvp"
},
{
"name": "https://mailcow.email/posts/2024/release-2024-04",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mailcow.email/posts/2024/release-2024-04"
},
{
"url": "https://www.vicarius.io/vsociety/posts/mailcow-with-xss-and-path-traversal-cve-2024-31204-and-cve-2024-30270"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2024-04"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability is a combination of path traversal and arbitrary code execution, specifically targeting the `rspamd_maps()` function. It allows authenticated admin users to overwrite any file writable by the www-data user by exploiting improper path validation. The exploit chain can lead to the execution of arbitrary commands on the server. Version 2024-04 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T20:52:59.248Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-4m8r-87gc-3vvp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-4m8r-87gc-3vvp"
},
{
"name": "https://mailcow.email/posts/2024/release-2024-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://mailcow.email/posts/2024/release-2024-04"
},
{
"name": "https://www.sonarsource.com/blog/remote-code-execution-in-mailcow-always-sanitize-error-messages",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sonarsource.com/blog/remote-code-execution-in-mailcow-always-sanitize-error-messages"
}
],
"source": {
"advisory": "GHSA-4m8r-87gc-3vvp",
"discovery": "UNKNOWN"
},
"title": "mailcow Path Traversal and Arbitrary Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-30270",
"datePublished": "2024-04-04T20:27:40.370Z",
"dateReserved": "2024-03-26T12:52:00.935Z",
"dateUpdated": "2024-12-12T20:52:59.248Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24760 (GCVE-0-2024-24760)
Vulnerability from cvelistv5 – Published: 2024-02-02 15:28 – Updated: 2025-05-15 19:49
VLAI?
Title
Mailcow Docker Container Exposure to Local Network
Summary
mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions < 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even when the port is bound to 127.0.0.1. The vulnerability has been addressed by implementing additional iptables/nftables rules. These rules drop packets for Docker containers on ports 3306, 6379, 8983, and 12345, where the input interface is not `br-mailcow` and the output interface is `br-mailcow`.
Severity ?
8.8 (High)
CWE
- CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://github.com/mailcow/mailcow-dockerized/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2024-01c
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.777Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-gmpj-5xcm-xxx6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-gmpj-5xcm-xxx6"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/087481ac12bfa5dd715f3630f0b1697be94f7e88",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/087481ac12bfa5dd715f3630f0b1697be94f7e88"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:46:19.747960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T19:49:55.480Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2024-01c"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions \u003c 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even when the port is bound to 127.0.0.1. The vulnerability has been addressed by implementing additional iptables/nftables rules. These rules drop packets for Docker containers on ports 3306, 6379, 8983, and 12345, where the input interface is not `br-mailcow` and the output interface is `br-mailcow`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-610",
"description": "CWE-610: Externally Controlled Reference to a Resource in Another Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-02T15:28:22.086Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-gmpj-5xcm-xxx6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-gmpj-5xcm-xxx6"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/087481ac12bfa5dd715f3630f0b1697be94f7e88",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/087481ac12bfa5dd715f3630f0b1697be94f7e88"
}
],
"source": {
"advisory": "GHSA-gmpj-5xcm-xxx6",
"discovery": "UNKNOWN"
},
"title": "Mailcow Docker Container Exposure to Local Network"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-24760",
"datePublished": "2024-02-02T15:28:22.086Z",
"dateReserved": "2024-01-29T20:51:26.010Z",
"dateUpdated": "2025-05-15T19:49:55.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23824 (GCVE-0-2024-23824)
Vulnerability from cvelistv5 – Published: 2024-02-02 15:18 – Updated: 2025-06-17 13:52
VLAI?
Title
mailcow ipixel flood attack leads to Denial of Service in admin page
Summary
mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is tested on the versions 2023-12a and prior and patched in version 2024-01.
Severity ?
4.7 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/sec… | x_refsource_CONFIRM |
| https://github.com/mailcow/mailcow-dockerized/com… | x_refsource_MISC |
| https://github.com/0xbunniee/MailCow-Pixel-Flood-Attack | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailcow | mailcow-dockerized |
Affected:
< 2024-01
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:13:08.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-45rv-3c5p-w4h7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-45rv-3c5p-w4h7"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/7f6f7e0e9ff608618e5b144bcf18d279610aa3ed",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/7f6f7e0e9ff608618e5b144bcf18d279610aa3ed"
},
{
"name": "https://github.com/0xbunniee/MailCow-Pixel-Flood-Attack",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/0xbunniee/MailCow-Pixel-Flood-Attack"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23824",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-21T19:30:43.358829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T13:52:12.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mailcow-dockerized",
"vendor": "mailcow",
"versions": [
{
"status": "affected",
"version": "\u003c 2024-01"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn\u0027t respond in the admin page. It is tested on the versions 2023-12a and prior and patched in version 2024-01."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-02T15:18:55.300Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-45rv-3c5p-w4h7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-45rv-3c5p-w4h7"
},
{
"name": "https://github.com/mailcow/mailcow-dockerized/commit/7f6f7e0e9ff608618e5b144bcf18d279610aa3ed",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mailcow/mailcow-dockerized/commit/7f6f7e0e9ff608618e5b144bcf18d279610aa3ed"
},
{
"name": "https://github.com/0xbunniee/MailCow-Pixel-Flood-Attack",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/0xbunniee/MailCow-Pixel-Flood-Attack"
}
],
"source": {
"advisory": "GHSA-45rv-3c5p-w4h7",
"discovery": "UNKNOWN"
},
"title": "mailcow ipixel flood attack leads to Denial of Service in admin page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23824",
"datePublished": "2024-02-02T15:18:55.300Z",
"dateReserved": "2024-01-22T22:23:54.338Z",
"dateUpdated": "2025-06-17T13:52:12.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}