CVE-2024-56529
Published: 28 January 2025
Description
Mailcow through 2024-11b has a session fixation vulnerability in the web panel. It allows remote attackers to set a session identifier when HSTS is disabled on a victim's browser. After a user logs in, they are authenticated and the session identifier is valid. Then, a remote attacker can access the victim's web panel with the same session identifier.
Security Summary
CVE-2024-56529 is a session fixation vulnerability (CWE-384) in the web panel of Mailcow through version 2024-11b. Published on 2025-01-28, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N), indicating network-accessible exploitation with low complexity, no privileges required, and user interaction needed, resulting in low confidentiality impact, high integrity impact, and no availability impact.
Remote attackers without privileges can exploit this vulnerability by setting a session identifier on a victim's browser when HSTS is disabled. After the victim authenticates by logging into the web panel, the session identifier becomes valid for authenticated access, enabling the attacker to hijack the session and access the victim's web panel using the same identifier.
Mitigation details are available in the vendor's security advisory at https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-23c8-4wwr-g3c6.
Details
- CWE(s)