Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2024-31204
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-04 Apr, 2024 | 21:15
Updated At-06 Oct, 2025 | 15:31

mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE. The system saves exception details into a session array without proper sanitization or encoding. These details are later rendered into HTML and executed in a JavaScript block within the user's browser, without adequate escaping of HTML entities. This flaw allows for Cross-Site Scripting (XSS) attacks, where attackers can inject malicious scripts into the admin panel by triggering exceptions with controlled input. The exploitation method involves using any function that might throw an exception with user-controllable argument. This issue can lead to session hijacking and unauthorized administrative actions, posing a significant security risk. Version 2024-04 contains a fix for the issue.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.1MEDIUM
CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
CPE Matches
mailcow
mailcow
>>mailcow\>>_dockerized
cpe:2.3:a:mailcow:mailcow\:_dockerized:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondarysecurity-advisories@github.com
CWE ID: CWE-79
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-fp6h-63w4-5hcmsecurity-advisories@github.com
Vendor Advisory
https://www.sonarsource.com/blog/remote-code-execution-in-mailcow-always-sanitize-error-messagessecurity-advisories@github.com
Exploit
Third Party Advisory
https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-fp6h-63w4-5hcmaf854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
https://www.vicarius.io/vsociety/posts/mailcow-with-xss-and-path-traversal-cve-2024-31204-and-cve-2024-30270af854a3a-2127-422b-91ae-364da2661108
Exploit
Third Party Advisory
Hyperlink: https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-fp6h-63w4-5hcm
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://www.sonarsource.com/blog/remote-code-execution-in-mailcow-always-sanitize-error-messages
Source: security-advisories@github.com
Resource:
Exploit
Third Party Advisory
Hyperlink: https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-fp6h-63w4-5hcm
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory
Hyperlink: https://www.vicarius.io/vsociety/posts/mailcow-with-xss-and-path-traversal-cve-2024-31204-and-cve-2024-30270
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Third Party Advisory
Change History
0Changes found
Details not found