mailcow: dockerized Stored Cross-Site Scripting Vulnerability in Login History

A stored cross-site scripting vulnerability has been identified in mailcow: dockerized versions prior to 2026-03b. The issue arises in the user dashboard's 'Seen successful connections' login history, which displays client IPs from login logs without proper HTML escaping. This flaw allows an attacker to inject HTML or JavaScript into the 'X-Real-IP' header, which is trusted by the server for logging. Exploitation of this vulnerability can be achieved through a login Cross-Site Request Forgery (CSRF) attack, forcing a victim to log into the attacker's account and then accessing sensitive information, such as emails, in a separate browser tab.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to unauthorized access to sensitive information, such as email content or account credentials.

Reproduction

To reproduce this vulnerability, log into an affected mailcow: dockerized account as an attacker. Inject a payload into the 'X-Real-IP' header during the login process. This can be done using a tool like Burp Suite or by crafting a custom login request that includes the payload in the header. Once the payload is injected, log into the account and navigate to the user dashboard. The injected JavaScript will execute, demonstrating the cross-site scripting vulnerability. To exploit this stored XSS, a login CSRF can be performed by forcing a victim to log into the attacker's account, after which the XSS payload can be used to access sensitive information from the victim's session.

Remediation

Users are advised to update to mailcow: dockerized version 2026-03b or later, where this vulnerability has been patched.