Impact

A security vulnerability has been identified in mailcow affecting versions < 2024-04. This vulnerability is a combination of path traversal and arbitrary code execution, specifically targeting the rspamd_maps() function. It allows authenticated admin users to overwrite any file writable by the www-data user by exploiting improper path validation. The exploit chain can lead to the execution of arbitrary commands on the server.

Patches

Versions including 2024-04 and later