OS Command Injection in mailcow

mailcow is a mailserver suite. Prior to mailcow-dockerized version 2022-06a, an extended privilege vulnerability can be exploited by manipulating the custom parameters regexmess, skipmess, regexflag, delete2foldersonly, delete2foldersbutnot, regextrans2, pipemess, or maxlinelengthcmd to execute arbitrary code. Users should update their mailcow instances with the `update.sh` script in the mailcow root directory to 2022-06a or newer to receive a patch for this issue. As a temporary workaround, the Syncjob ACL can be removed from all mailbox users, preventing changes to those settings.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

mailcow 操作系统命令注入漏洞

mailcow是一个邮件服务器套件。 mailcow 2022-06a之前版本存在操作系统命令注入漏洞，该漏洞源于可以通过操纵自定义参数 regexmess、skipmess、regexflag、delete2foldersonly、delete2foldersbutnot、regextrans2、pipemess 或 maxlinelengthcmd 来利用扩展权限漏洞来执行任意代码。

N/A

N/A