Mailcow Server Vulnerabilities Enable RCE
1. Two security vulnerabilities in Mailcow can lead to arbitrary code execution.
2. All Mailcow versions before 2024-04 (released April 4, 2024) are affected.
3. CVE-2024-30270 is a path traversal flaw in "rspamd_maps()" allowing arbitrary command execution by overwriting files.
4. CVE-2024-31204 is a cross-site scripting (XSS) vulnerability through the exception handling mechanism outside of DEV_MODE.
5. The XSS flaw saves unsanitized exception details, rendering them as executable JavaScript in users' browsers.
#mailcow
#vulnerabilities
#cve202430270
#cve202431204
#arbitrarycodeexecution
#remotecodeexecution
#securityflaws
#opensource
#mailserver
#sonarsource
#moderateseverity
#pathtraversal
#rspamdmaps
#crosssitescripting
#xss
#devmode
#exceptionhandling
#htmlinjection
#javascriptexecution
#adminpanel
#sessionhijacking
#privilegedactions
#accounttakeover
#sensitivedata
#maliciousscripts
#commandexecution
#emailsecurity
#cssbackgroundimage
#remoteurl
1. Two security vulnerabilities in Mailcow can lead to arbitrary code execution.
2. All Mailcow versions before 2024-04 (released April 4, 2024) are affected.
3. CVE-2024-30270 is a path traversal flaw in "rspamd_maps()" allowing arbitrary command execution by overwriting files.
4. CVE-2024-31204 is a cross-site scripting (XSS) vulnerability through the exception handling mechanism outside of DEV_MODE.
5. The XSS flaw saves unsanitized exception details, rendering them as executable JavaScript in users' browsers.
#mailcow
#vulnerabilities
#cve202430270
#cve202431204
#arbitrarycodeexecution
#remotecodeexecution
#securityflaws
#opensource
#mailserver
#sonarsource
#moderateseverity
#pathtraversal
#rspamdmaps
#crosssitescripting
#xss
#devmode
#exceptionhandling
#htmlinjection
#javascriptexecution
#adminpanel
#sessionhijacking
#privilegedactions
#accounttakeover
#sensitivedata
#maliciousscripts
#commandexecution
#emailsecurity
#cssbackgroundimage
#remoteurl