Skip to main content

Mailcow CVE-2022-39258

HIGH
Information Exposure (CWE-200)
2022-09-27 security-advisories@github.com
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 27, 2022 - 15:15 nvd
HIGH 8.2

DescriptionNVD

mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. The issue has been fixed with the 2022-09 mailcow Mootember Update. As a workaround, one may delete the Swapper API Documentation from their e-mail server.

AnalysisAI

mailcow is a mailserver suite. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. The issue has been fixed with the 2022-09 mailcow Mootember Update. As a workaround, one may delete the Swapper API Documentation from their e-mail server. Affected products include: Mailcow Mailcow\. Version information: prior to 2022.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

CVE-2017-8928 HIGH POC
8.8 May 14

mailcow 0.14, as used in "mailcow: dockerized" and other products, has CSRF. Rated high severity (CVSS 8.8), this vulner

CVE-2023-26490 HIGH POC
8.8 Mar 04

mailcow is a dockerized email package, with multiple containers linked in one bridged network. Rated high severity (CVSS

CVE-2022-31138 HIGH POC
8.8 Jul 11

mailcow is a mailserver suite. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack co

CVE-2022-31245 HIGH POC
8.8 May 20

mailcow before 2022-05d allows a remote authenticated user to inject OS commands and escalate privileges to domain admin

CVE-2025-25198 HIGH POC
7.1 Feb 12

mailcow: dockerized is an open source groupware/email suite based on docker. Rated high severity (CVSS 7.1), this vulner

CVE-2024-30270 MEDIUM POC
6.2 Apr 04

mailcow: dockerized is an open source groupware/email suite based on docker. Rated medium severity (CVSS 6.2), this vuln

CVE-2024-31204 MEDIUM POC
6.1 Apr 04

mailcow: dockerized is an open source groupware/email suite based on docker. Rated medium severity (CVSS 6.1). Public ex

CVE-2023-34108 HIGH
8.8 Jun 07

mailcow is a mail server suite based on Dovecot, Postfix and other open source software, that provides a modern web UI f

CVE-2024-24760 HIGH
7.3 Feb 02

mailcow is a dockerized email package, with multiple containers linked in one bridged network. Rated high severity (CVSS

CVE-2024-41958 HIGH
7.2 Aug 05

mailcow: dockerized is an open source groupware/email suite based on docker. Rated high severity (CVSS 7.2), this vulner

CVE-2024-23824 LOW POC
2.7 Feb 02

mailcow is a dockerized email package, with multiple containers linked in one bridged network. Rated low severity (CVSS

CVE-2024-41959 MEDIUM
6.1 Aug 05

mailcow: dockerized is an open source groupware/email suite based on docker. Rated medium severity (CVSS 6.1), this vuln

Share

CVE-2022-39258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy