CVE-2024-41959

mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of the user's browser. This could lead to unauthorized actions, data theft, or further exploitation of the affected system. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Configurations

Configuration 1 (hide)

cpe:2.3:a:mailcow:mailcow\:_dockerized:*:*:*:*:*:*:*:*

History

19 Sep 2024, 20:14

Type Values Removed Values Added
References () https://github.com/mailcow/mailcow-dockerized/commit/66aa28b5de282fc037e0d2f02fbdc84539b614a1 - () https://github.com/mailcow/mailcow-dockerized/commit/66aa28b5de282fc037e0d2f02fbdc84539b614a1 - Patch
References () https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-v3r3-8f69-ph29 - () https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-v3r3-8f69-ph29 - Third Party Advisory
CVSS v2 : unknown
v3 : 7.6
v2 : unknown
v3 : 6.1
First Time Mailcow mailcow\
Mailcow
CPE cpe:2.3:a:mailcow:mailcow\:_dockerized:*:*:*:*:*:*:*:*

06 Aug 2024, 16:30

Type Values Removed Values Added
Summary
  • (es) mailcow: dockerized es un software colaborativo/paquete de correo electrónico de código abierto basado en Docker. Un atacante no autenticado puede inyectar un payload de JavaScript en los registros de API. Este payload se ejecuta cada vez que se ve la página de registros de API, lo que potencialmente permite que un atacante ejecute scripts maliciosos en el contexto del navegador del usuario. Esto podría dar lugar a acciones no autorizadas, robo de datos o una mayor explotación del sistema afectado. Este problema se solucionó en la versión "2024-07". Se recomienda a todos los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.

05 Aug 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-05 20:15

Updated : 2024-09-19 20:14


NVD link : CVE-2024-41959

Mitre link : CVE-2024-41959

CVE.ORG link : CVE-2024-41959


JSON object : View

Products Affected

mailcow

  • mailcow\
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')