Vladimirborisov

**Name of the Vulnerable Software and Affected Versions** mailcow versions prior to 2023-05a **Description** A vulnerability has been discovered in mailcow that allows an attacker to manipulate internal Dovecot variables by using specially crafted passwords during the authentication process. The issue arises from the behavior of the `passwd-verify.lua` script, which is responsible for verifying user passwords during login attempts. By crafting a password with additional key-value pairs appended to it, an attacker can manipulate the returned string and influence the internal behavior of Dovecot. For example, using the password "123 `mail crypt save version=0`" would cause the `passwd-verify.lua` script to return the string "password=123 `mail crypt save version=0`". This vulnerability can be exploited by an authenticated attacker who has the ability to set their own password. Successful exploitation could result in unauthorized access to user accounts, bypassing security controls, or other malicious activities. **Recommendations** For versions prior to 2023-05a, upgrade to version 2023-05a to resolve the issue. As a temporary workaround, consider restricting the ability for users to set their own passwords until the upgrade is applied. Additionally, monitor user account activity for any signs of unauthorized access or malicious behavior.