CVE-2024-45800

Name of the Vulnerable Software and Affected Versions: SnappyMail versions prior to 2.38.0

Description: SnappyMail is an open source web-based email client that uses the cleanHtml() function to cleanup HTML and CSS in emails. Research discovered that the function has bugs which cause an mXSS exploit, allowing a motivated attacker to inject JavaScript. However, due to the default Content Security Policy, the impact of the exploit is minimal. It could be possible to create an attack that leaks some data when loading images through the proxy, or to load a JavaScript attachment of the email.

Recommendations: For versions prior to 2.38.0, users are advised to upgrade to version 2.38.0 or later. For older versions, an extension named "Security mXSS" can be installed as a mitigation, available at the administration area at /?admin#/packages. As a temporary workaround, consider disabling the cleanHtml() function until a patch is available. Restrict access to the vulnerable cleanHtml() function to minimize the risk of exploitation. Avoid using the cleanHtml() function in the affected API endpoint until the issue is resolved.