CVE-2024-41959

{"id": "CVE-2024-41959", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 2.8}]}, "published": "2024-08-05T20:15:36.270", "references": [{"url": "https://github.com/mailcow/mailcow-dockerized/commit/66aa28b5de282fc037e0d2f02fbdc84539b614a1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-v3r3-8f69-ph29", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of the user's browser. This could lead to unauthorized actions, data theft, or further exploitation of the affected system. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "mailcow: dockerized es un software colaborativo/paquete de correo electr\u00f3nico de c\u00f3digo abierto basado en Docker. Un atacante no autenticado puede inyectar un payload de JavaScript en los registros de API. Este payload se ejecuta cada vez que se ve la p\u00e1gina de registros de API, lo que potencialmente permite que un atacante ejecute scripts maliciosos en el contexto del navegador del usuario. Esto podr\u00eda dar lugar a acciones no autorizadas, robo de datos o una mayor explotaci\u00f3n del sistema afectado. Este problema se solucion\u00f3 en la versi\u00f3n \"2024-07\". Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-09-19T20:14:02.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mailcow:mailcow\\:_dockerized:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "995C99DD-01FE-4772-808E-1A927518ED1D", "versionEndExcluding": "2024-07"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}