CVE-2022-39258

HIGH

Mailcow < 2022-09 - Information Disclosure

Title source: rule

Description

mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. The issue has been fixed with the 2022-09 mailcow Mootember Update. As a workaround, one may delete the Swapper API Documentation from their e-mail server.

References (2)

[Exploit, Third Party Advisory] https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vjgf-cp5p-wm45

[Patch, Third Party Advisory] https://github.com/mailcow/mailcow-dockerized/pull/4766

Scores

CVSS v3 8.1

EPSS 0.0027

EPSS Percentile 50.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-601 CWE-451 CWE-200

Status published

Products (1)

mailcow/mailcow\ < 2022-09

Published Sep 27, 2022

Tracked Since Feb 18, 2026