Headline
CVE-2022-39258: 2022-09 by DerLinkman · Pull Request #4766 · mailcow/mailcow-dockerized
mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. The issue has been fixed with the 2022-09 mailcow Mootember Update. As a workaround, one may delete the Swapper API Documentation from their e-mail server.
Receiving mails for wildcard alias addresses is really easy – but sending mails from those any-aliases was not possible at all unless every sender address was added as an explicit alias to the database.
By this change in the database query for allowed sender addresses, the first finding `not NULL` (see [`SELECT COALESCE`](https://www.w3schools.com/sql/func_sqlserver_coalesce.asp) for how it works) – either an exact alias `[email protected]` or the wildcard alias `@domain.tld` will be allowed to send mails as the given address … without the need of explicit definition within the database.
Update Version of Docker-Image according to [related comment](#4703 (comment))
* build: harden integration_tests.yml permissions
Signed-off-by: Alex [email protected]
* build: harden image_builds.yml permissions
Signed-off-by: Alex [email protected]
Signed-off-by: Alex [email protected] Co-authored-by: Niklas Meyer [email protected]
Co-authored-by: Burak Buylu [email protected] Co-authored-by: milkmaker [email protected]
Co-authored-by: Burak Buylu [email protected]
[API] Update swagger version
Improve send-as behaviour