Bulwark Webmail Content Security Policy Misconfiguration Leading to Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Bulwark Webmail versions prior to 1.4.11. The issue arises from the reverse proxy setting the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This misconfiguration allowed XSS attacks to be logged without being blocked. Users who could inject script content, such as through crafted email HTML, could execute arbitrary JavaScript within the application context, potentially stealing session tokens or performing actions on behalf of the user.

Impact

Exploitation of this vulnerability allowed for cross-site scripting attacks, where injected scripts could be executed in the context of the user, potentially leading to session token theft or unauthorized actions on behalf of the user.

Remediation

Users are advised to upgrade to Bulwark Webmail version 1.4.11 or later, where this vulnerability has been fixed by setting the Content-Security-Policy header to enforce rather than report-only. Users deploying behind a separate reverse proxy that can enforce a Content-Security-Policy are not affected.