mailcow: dockerized Stored Cross-Site Scripting Vulnerability in Autodiscover Logs

A stored cross-site scripting vulnerability has been identified in mailcow: dockerized versions prior to 2026-03b. The issue arises in the admin dashboard's Autodiscover logs, where the EMailAddress value is rendered without proper HTML escaping. This flaw allows an unauthenticated attacker to send a crafted Autodiscover request that injects HTML or JavaScript. The malicious payload is stored in Redis and executed when an admin views the Autodiscover logs.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the logs, potentially leading to unauthorized access to sensitive information or actions within the application.

Reproduction

To reproduce this vulnerability, send an unauthenticated POST request to the Autodiscover endpoint with a crafted EMailAddress that includes HTML or JavaScript. This payload will be logged and executed when an administrator views the Autodiscover logs.

Remediation

Users can update to mailcow: dockerized version 2026-03b or later to address this vulnerability.