CVE-2024-41959

Name of the Vulnerable Software and Affected Versions mailcow: dockerized versions prior to 2024-07

Description The issue allows an unauthenticated attacker to inject a JavaScript payload into the API logs. This payload is executed when the API logs page is viewed, potentially allowing an attacker to run malicious scripts in the context of the user's browser. This could lead to unauthorized actions, data theft, or further exploitation of the affected system.

Recommendations For versions prior to 2024-07, upgrade to the 2024-07 release or later to address the issue. As a temporary workaround, consider restricting access to the API logs page until the upgrade is applied. Avoid viewing the API logs page from an untrusted source to minimize the risk of exploitation.