CVE-2024-31204 – mailcow Cross-site Scripting Vulnerability via Exception Handler

https://notcve.org/view.php?id=CVE-2024-31204

04 Apr 2024 — mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE. The system saves exception details into a session array without proper sanitization or encoding. These details are later rendered into HTML and executed in a JavaScript block within the user's browser, without adequate escaping of HT... • https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-fp6h-63w4-5hcm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •