Products
mailcow: dockerized
- 2024-07
Source
security-advisories@github.com
Tags
CVE-2024-41959 details
Last Modified : Aug. 5, 2024, 8:15 p.m.
Description
mailcow: dockerized is an open source groupware/email suite based on docker. An unauthenticated attacker can inject a JavaScript payload into the API logs. This payload is executed whenever the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of the user's browser. This could lead to unauthorized actions, data theft, or further exploitation of the affected system. This issue has been addressed in the `2024-07` release. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7.6 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
Base Score
7.6
Exploitability Score
2.8
Impact Score
4.7
Base Severity
HIGH
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
References
| URL | Source |
|---|---|
| https://github.com/mailcow/mailcow-dockerized/commit/66aa28b5de282fc037e0d2f02fbdc84539b614a1 | security-advisories@github.com |
| https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-v3r3-8f69-ph29 | security-advisories@github.com |