mailcow-dockerized critical information misrepresentation can lead to phishing attacks through Swagger UI
CVE-2022-39258

8.1HIGH

Key Information:

Vendor: Mailcow
Status: Mailcow-dockerized
Vendor: CVE Published:; 27 September 2022

What is CVE-2022-39258?

mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. The issue has been fixed with the 2022-09 mailcow Mootember Update. As a workaround, one may delete the Swapper API Documentation from their e-mail server.

Affected Version(s)

mailcow-dockerized < 2022-09

References

https://github.com/mailcow/mailcow-dockerized/security/ad...

x_refsource_CONFIRM

https://github.com/mailcow/mailcow-dockerized/pull/4766

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 27, 2022
Vulnerability Reserved
Sep 2, 2022

CVE-2022-39258 Data

JSON

Mailcow

What is CVE-2022-39258?

Affected Version(s)

References

CVSS V3.1

Timeline