CVE-2024-41960

Name of the Vulnerable Software and Affected Versions mailcow: dockerized versions prior to 2024-07

Description The issue is related to the Relay Hosts configuration, where an authenticated admin user can inject a JavaScript payload. This payload is executed when the configuration page is viewed, allowing the attacker to execute arbitrary scripts in the context of the user's browser. This could lead to data theft or further exploitation.

Recommendations For versions prior to 2024-07, upgrade to the 2024-07 release or later to address the issue. As a temporary workaround, consider restricting access to the Relay Hosts configuration page to minimize the risk of exploitation. Avoid using the Relay Hosts configuration until the issue is resolved.