CVE-2022-39258
HIGHmailcow < 2022-09 - Open Redirect via Spoofed Swagger Authorize Link
Title source: llmDescription
mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. The issue has been fixed with the 2022-09 mailcow Mootember Update. As a workaround, one may delete the Swapper API Documentation from their e-mail server.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-vjgf-cp5p-wm45
Patch, Third Party Advisory x_refsource_misc
https://github.com/mailcow/mailcow-dockerized/pull/4766
Scores
CVSS v3
8.1
EPSS
0.0061
EPSS Percentile
44.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-601
CWE-451
CWE-200
Status
published
Products (1)
mailcow/mailcow\
< 2022-09
Published
Sep 27, 2022
Tracked Since
Feb 18, 2026