CVE-2024-31204 MEDIUM

CVE-2024-31204: mailcow Cross-site Scripting Vulnerability via Exception Handler

Vendor Mailcow

Product mailcow-dockerized

Weakness CWE-79 · XSS

Published April 4, 2024

Last update December 12, 2024

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Adjacent

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE. The system saves exception details into a session array without proper sanitization or encoding. These details are later rendered into HTML and executed in a JavaScript block within the user's browser, without adequate escaping of HTML entities. This flaw allows for Cross-Site Scripting (XSS) attacks, where attackers can inject malicious scripts into the admin panel by triggering exceptions with controlled input. The exploitation method involves using any function that might throw an exception with user-controllable argument. This issue can lead to session hijacking and unauthorized administrative actions, posing a significant security risk. Version 2024-04 contains a fix for the issue.

Key dates

02Disclosure timeline

April 4, 2024 CVE published

December 12, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-31204

Related vulnerabilities

CVE-2024-31204: mailcow Cross-site Scripting Vulnerability via Exception Handler

01Description

02Disclosure timeline

03References

04Related CVE