CVE-2022-39258— mailcow-dockerized critical information misrepresentation can lead to phishing attacks through Swagger UI
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-39258
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
mailcow-dockerized critical information misrepresentation can lead to phishing attacks through Swagger UI
Source: NVD (National Vulnerability Database)
Vulnerability Description
mailcow is a mailserver suite. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. The issue has been fixed with the 2022-09 mailcow Mootember Update. As a workaround, one may delete the Swapper API Documentation from their e-mail server.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
关键信息的UI错误表达
Source: NVD (National Vulnerability Database)
Vulnerability Title
mailcow 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
mailcow是一个邮件服务器套件。 mailcow 2022-09之前版本存在安全漏洞,该漏洞源于允许攻击者制作自定义Swagger API模板来欺骗授权链接,这可能会将受害者重定向到攻击者控制器指定位置,以窃取Swagger授权凭据或创建网络钓鱼页面以窃取其他信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| mailcow | mailcow-dockerized | < 2022-09 | - |
II. Public POCs for CVE-2022-39258
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-39258
请登录查看更多情报信息。
- https://github.com/mailcow/mailcow-dockerized/pull/4766x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2022-39258
IV. Related Vulnerabilities
Same product: mailcow-dockerized
- CVE-2026-40878
mailcow-dockerized Login Page has Reflected Parameter Inject - CVE-2026-40875
mailcow: dockerized vulnerable to stored XSS in user login h - CVE-2026-40874
mailcow: dockerized missing authorization on Forwarding Host - CVE-2026-40873
mailcow: dockerized vulnerable to stored XSS in Quarantine a - CVE-2026-40872
mailcow: dockerized vulnerable to stored XSS in autodiscover
Same vendor: mailcow
- CVE-2026-40878
mailcow-dockerized Login Page has Reflected Parameter Inject - CVE-2026-40875
mailcow: dockerized vulnerable to stored XSS in user login h - CVE-2026-40874
mailcow: dockerized missing authorization on Forwarding Host - CVE-2026-40873
mailcow: dockerized vulnerable to stored XSS in Quarantine a - CVE-2026-40872
mailcow: dockerized vulnerable to stored XSS in autodiscover
Same weakness: CWE-451
- CVE-2026-35371
uutils coreutils id Misleading Identity Reporting in Pretty - CVE-2026-33118
Microsoft Edge (Chromium-based) Spoofing Vulnerability - CVE-2026-33119
Microsoft Edge (Chromium-based) for Android Spoofing Vulnera - CVE-2026-32971
OpenClaw < 2026.3.11 - Node-Host Approval UI Mismatch Allows - CVE-2026-0385
Microsoft Edge (Chromium-based) for Android Spoofing Vulnera
V. Comments for CVE-2022-39258
No comments yet