Attackers could leverage a pair of medium-severity vulnerabilities in the Mailcow open-source mail server software older than version 2024-04 to facilitate arbitrary code execution, account takeovers, and sensitive data access, reports The Hacker News.
More serious of the two flaws is a cross-site scripting bug, tracked as CVE-2024-31204, which could be exploited to enable malicious script injection into the mail server suite's admin panel, while abuse of the other issue, a path traversal bug, tracked as CVE-2024-30270, could allow arbitrary command execution through file overwriting, according to a report from SonarSource.
Vulnerable Mailcow instances could be compromised using both vulnerabilities provided that the malicious HTML email sent by attackers is being viewed by an admin user while inside the admin panel, noted SonarSource researcher Paul Gerste.
"The victim does not have to click a link inside the email or perform any other interaction with the email itself, they only have to continue using the admin panel after viewing the email," said Gerste.
