Derlinkman

**Name of the Vulnerable Software and Affected Versions** mailcow versions prior to 2024-01c **Description** A security issue has been identified in mailcow, a dockerized email package. This issue potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even when the port is bound to 127.0.0.1. The vulnerability has been addressed by implementing additional iptables/nftables rules, which drop packets for Docker containers on ports 3306, 6379, 8983, and 12345, where the input interface is not `br-mailcow` and the output interface is `br-mailcow`. **Recommendations** For versions prior to 2024-01c, update to version 2024-01c or later to resolve the issue. As a temporary workaround, consider implementing additional iptables/nftables rules to drop packets for Docker containers on vulnerable ports, where the input interface is not `br-mailcow` and the output interface is `br-mailcow`. Restrict access to the exposed ports to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mailcow: dockerized versions prior to 2023-11 **Description** A Cross-Site Scripting (XSS) issue has been identified within the Quarantine UI of the system, posing a significant threat to administrators who utilize the Quarantine feature. An attacker can send a carefully crafted email containing malicious JavaScript code. **Recommendations** For versions prior to 2023-11, update to version 2023-11 to resolve the issue. As a temporary workaround, consider restricting access to the Quarantine UI to minimize the risk of exploitation. Avoid using the Quarantine feature until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** mailcow versions prior to the 2023-03 Update **Description** The Sync Job feature in mailcow, a dockerized email package, suffers from a shell command injection. This allows a malicious user to obtain shell access to the Docker container running dovecot by abusing the vulnerability. The imapsync Perl script, which implements the necessary functionality for this feature, including the XOAUTH2 authentication mechanism, creates a shell command to call openssl. However, since different parts of the specified user password are included without any validation, one can simply execute additional shell commands. The default ACL for a newly-created mailcow account does not include the necessary permission. **Recommendations** As a temporary workaround, consider removing the Syncjob ACL from all mailbox users to prevent creating or changing existing Syncjobs. Update to the 2023-03 Update or later to fix the issue.

**Name of the Vulnerable Software and Affected Versions** mailcow-dockerized versions prior to 2022-06a **Description** The issue concerns an extended privilege vulnerability in mailcow, a mailserver suite. This vulnerability can be exploited by manipulating custom parameters such as `regexmess`, `skipmess`, `regexflag`, `delete2foldersonly`, `delete2foldersbutnot`, `regextrans2`, `pipemess`, or `maxlinelengthcmd` to execute arbitrary code. **Recommendations** For versions prior to 2022-06a, update the mailcow instance with the `update.sh` script in the mailcow root directory to 2022-06a or newer to receive a patch for this issue. As a temporary workaround, consider removing the Syncjob ACL from all mailbox users to prevent changes to those settings.