- Description
- mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allows an attacker to manipulate the `Host HTTP` header to generate a password reset link pointing to an attacker-controlled domain. This can lead to account takeover if a user clicks the poisoned link. Version 2025-01a contains a patch. As a workaround, deactivate the password reset functionality by clearing `Notification email sender` and `Notification email subject` under System -> Configuration -> Options -> Password Settings.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 7.1
- Impact score
- 4.2
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-601
- Hype score
- Not currently trending
Mailcow has patched a password reset poisoning vulnerability (CVE-2025-25198). Users are advised to update. More details: https://t.co/y4rEnZRcOR #CyberSecurity #Infosec
@adriananglin
17 Feb 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Mailcow Patches Password Reset Poisoning Vulnerability (CVE-2025-25198) Learn about CVE-2025-25198 and how it affects mailcow's password reset feature. Stay secure with the latest patch details https://t.co/cHazRAHsPO
@the_yellow_fall
17 Feb 2025
233 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-25198 Host Header Injection Vulnerability in Mailcow Allowing Unauthorized Password Reset https://t.co/zXJbIALaqq
@VulmonFeeds
12 Feb 2025
5 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-25198 mailcow: dockerized is an open source groupware/email suite based on docker. Prior to version 2025-01a, a vulnerability in mailcow's password reset functionality allo… https://t.co/lsr9KXPz0H
@CVEnew
12 Feb 2025
61 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes