CVE-2024-31204

Name of the Vulnerable Software and Affected Versions mailcow versions prior to 2024-04

Description A security issue has been identified in the exception handling mechanism of mailcow, specifically when not operating in DEV MODE. The system saves exception details into a session array without proper sanitization or encoding, which are later rendered into HTML and executed in a JavaScript block within the user's browser without adequate escaping of HTML entities. This allows for Cross-Site Scripting (XSS) attacks, where attackers can inject malicious scripts into the admin panel by triggering exceptions with controlled input, potentially leading to session hijacking and unauthorized administrative actions.

Recommendations For versions prior to 2024-04, update to version 2024-04 to resolve the issue. As a temporary workaround, consider restricting access to functions that might throw exceptions with user-controllable arguments until the update is applied.