CVE-2023-49077 - OpenCVE

Mailcow: dockerized is an open source groupware/email suite based on docker. A Cross-Site Scripting (XSS) vulnerability has been identified within the Quarantine UI of the system. This vulnerability poses a significant threat to administrators who utilize the Quarantine feature. An attacker can send a carefully crafted email containing malicious JavaScript code. This issue has been patched in version 2023-11.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mailcow	Mailcow\

Configuration 1 [-]

cpe:2.3:a:mailcow:mailcow\:_dockerized:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/mailcow/mailcow-dockerized/releases/tag/2023-11
https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-46x4-w2fm-5x6g

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-11-30T07:14:04.580Z

Updated: 2024-08-02T21:46:29.125Z

Reserved: 2023-11-21T18:57:30.427Z

Link: CVE-2023-49077

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-11-30T07:15:08.267

Modified: 2023-12-05T17:39:23.030

Link: CVE-2023-49077

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49077", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-21T18:57:30.427Z", "datePublished": "2023-11-30T07:14:04.580Z", "dateUpdated": "2024-08-02T21:46:29.125Z"}, "containers": {"cna": {"title": "mailcow-dockerized XSS Vulnerability in Quarantine UI Allows Unauthorized Access and Data Manipulation", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-46x4-w2fm-5x6g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-46x4-w2fm-5x6g"}, {"name": "https://github.com/mailcow/mailcow-dockerized/releases/tag/2023-11", "tags": ["x_refsource_MISC"], "url": "https://github.com/mailcow/mailcow-dockerized/releases/tag/2023-11"}], "affected": [{"vendor": "mailcow", "product": "mailcow-dockerized", "versions": [{"version": "< 2023-11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-11-30T07:14:04.580Z"}, "descriptions": [{"lang": "en", "value": "Mailcow: dockerized is an open source groupware/email suite based on docker. A Cross-Site Scripting (XSS) vulnerability has been identified within the Quarantine UI of the system. This vulnerability poses a significant threat to administrators who utilize the Quarantine feature. An attacker can send a carefully crafted email containing malicious JavaScript code. This issue has been patched in version 2023-11."}], "source": {"advisory": "GHSA-46x4-w2fm-5x6g", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:46:29.125Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-46x4-w2fm-5x6g", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-46x4-w2fm-5x6g"}, {"name": "https://github.com/mailcow/mailcow-dockerized/releases/tag/2023-11", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mailcow/mailcow-dockerized/releases/tag/2023-11"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mailcow:mailcow\\:_dockerized:*:*:*:*:*:*:*:*", "matchCriteriaId": "C930A17B-FAA0-4514-860B-A72EC00CFE51", "versionEndExcluding": "2023-11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mailcow: dockerized is an open source groupware/email suite based on docker. A Cross-Site Scripting (XSS) vulnerability has been identified within the Quarantine UI of the system. This vulnerability poses a significant threat to administrators who utilize the Quarantine feature. An attacker can send a carefully crafted email containing malicious JavaScript code. This issue has been patched in version 2023-11."}, {"lang": "es", "value": "Mailcow: dockerized es un software colaborativo/paquete de correo electr\u00f3nico de c\u00f3digo abierto basado en Docker. Se ha identificado una vulnerabilidad de Cross-Site Scripting (XSS) dentro de la interfaz de usuario de cuarentena del sistema. Esta vulnerabilidad representa una amenaza importante para los administradores que utilizan la funci\u00f3n Cuarentena. Un atacante puede enviar un correo electr\u00f3nico cuidadosamente elaborado que contenga c\u00f3digo JavaScript malicioso. Este problema se solucion\u00f3 en la versi\u00f3n 2023-11."}], "id": "CVE-2023-49077", "lastModified": "2023-12-05T17:39:23.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-11-30T07:15:08.267", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/mailcow/mailcow-dockerized/releases/tag/2023-11"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/mailcow/mailcow-dockerized/security/advisories/GHSA-46x4-w2fm-5x6g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}