Weaknesses in Mailcow Mail Server Lead to Remote Code Execution on Servers

AndyC 19 June 2024

June 19, 2024NewsroomEmail Security / Vulnerability

There have been the revelation of two security weaknesses in the Mailcow open-source mail server suite that could allow attackers to conduct arbitrary code execution on vulnerable instances.

Mailcow Mail Server Flaws Expose Servers to Remote Code Execution

June 19, 2024NewsroomEmail Security / Vulnerability

Mailcow Mail Server Flaws Expose Servers to Remote Code Execution

There have been the revelation of two security weaknesses in the Mailcow open-source mail server suite that could allow attackers to conduct arbitrary code execution on vulnerable instances.

Both deficiencies affect all versions of the software before version 2024-04, which was launched on April 4, 2024. These issues were reported responsibly by SonarSource on March 22, 2024 through this link.

The vulnerabilities, rated as Moderate in severity, are detailed below –

  • CVE-2024-30270 (CVSS score: 6.7) – A path traversal flaw affecting the “rspamd_maps()” function that could lead to the execution of arbitrary commands on the server by allowing a malicious actor to overwrite any file that can be edited with the “www-data” user
  • CVE-2024-31204 (CVSS score: 6.8) – An XSS vulnerability via the exception handling mechanism when not in the DEV_MODE

The second flaw is rooted in the fact that it stores exception details without any sanitation or encoding, which are then transformed into HTML and executed as JavaScript in the users’ browser.

Cybersecurity

Hence, a malicious actor could exploit this situation to insert harmful scripts into the admin panel by triggering exceptions with specifically designed input, thereby enabling them to hijack the session and perform privileged actions as an administrator.

In other words, by combining both flaws, there exists the potential for a malicious entity to seize control of accounts on a Mailcow server, access sensitive data, and execute commands.

In a hypothetical attack scenario, an attacker can create an HTML email containing a CSS background image loaded from an external URL to activate an XSS payload.

“By merging both vulnerabilities, an attacker can execute arbitrary code on the admin panel server of a vulnerable mailcow instance,” mentioned SonarSource vulnerability analyst Paul Gerste.

“For this to occur, an admin user must view a malicious email while logged into the admin panel. The victim is not required to click a link within the email or take any other interaction with the email; they only need to continue using the admin panel after seeing the email.”

Discovered this article intriguing? Keep up with us on Twitter and LinkedIn for more of our exclusive content.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , ,

More Stories

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

AndyC 20 December 2025
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

AndyC 20 December 2025
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

AndyC 20 December 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025
HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

AndyC 19 December 2025

You may have missed

Amazon Warns Perncious Fake North Korea IT Worker Threat Has Become Widespread

Randall Munroe’s XKCD ‘Fifteen Years’

AndyC 20 December 2025
Why AppSec Can’t Keep Up With AI-Generated Code

Google Shutting Down Dark Web Report Met with Mixed Reactions

AndyC 20 December 2025
Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.