CVE-2024-41960

mailcow: dockerized is an open source groupware/email suite based on docker. An authenticated admin user can inject a JavaScript payload into the Relay Hosts configuration. The injected payload is executed whenever the configuration page is viewed, enabling the attacker to execute arbitrary scripts in the context of the user's browser. This could lead to data theft, or further exploitation. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Configurations

Configuration 1 (hide)

cpe:2.3:a:mailcow:mailcow\:_dockerized:*:*:*:*:*:*:*:*

History

19 Sep 2024, 20:01

Type Values Removed Values Added
First Time Mailcow mailcow\
Mailcow
CVSS v2 : unknown
v3 : 3.8
v2 : unknown
v3 : 4.8
CPE cpe:2.3:a:mailcow:mailcow\:_dockerized:*:*:*:*:*:*:*:*
References () https://github.com/mailcow/mailcow-dockerized/commit/efb2572f0fa57628ad98a76a4ae884a10cac0a1a - () https://github.com/mailcow/mailcow-dockerized/commit/efb2572f0fa57628ad98a76a4ae884a10cac0a1a - Patch
References () https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jpp8-rhg6-4vvv - () https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-jpp8-rhg6-4vvv - Third Party Advisory

06 Aug 2024, 16:30

Type Values Removed Values Added
Summary
  • (es) mailcow: dockerized es un software colaborativo/paquete de correo electrónico de código abierto basado en Docker. Un usuario administrador autenticado puede inyectar un payload de JavaScript en la configuración de los hosts de retransmisión. El payload inyectado se ejecuta cada vez que se ve la página de configuración, lo que permite al atacante ejecutar scripts arbitrarios en el contexto del navegador del usuario. Esto podría conducir al robo de datos o a una mayor explotación. Este problema se solucionó en la versión "2024-07". Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

05 Aug 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-05 20:15

Updated : 2024-09-19 20:01


NVD link : CVE-2024-41960

Mitre link : CVE-2024-41960

CVE.ORG link : CVE-2024-41960


JSON object : View

Products Affected

mailcow

  • mailcow\
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')