mailcow: dockerized Reflected Parameter Injection Leading to Wrong-Context XSS

A reflected parameter injection vulnerability allowing for wrong-context cross-site scripting (XSS) has been identified in mailcow: dockerized versions prior to 2026-03b. The issue arises because the mailcow web interface passes the raw `$_SERVER['REQUEST_URI']` to Twig as a global template variable. This raw data is then rendered inside a JavaScript string literal in the `setLang()` helper of `base.twig`, using Twig's default HTML auto-escaping instead of the appropriate JavaScript escaping. Additionally, the `query_string()` Twig helper combines all current `$_GET` parameters into language-switching links on the login page, allowing attacker-supplied parameters to be reflected and preserved across navigation.

Impact

Exploitation of this vulnerability allows an unauthenticated remote attacker to inject and reflect parameters into the JavaScript context of the login page, creating a high-credibility phishing opportunity. While direct script execution is typically blocked by Twig's HTML escaping, this protection can be bypassed in certain configurations, such as when a reverse proxy URL-decodes path components, allowing the injection of a trailing backslash to escape JavaScript string literals.

Reproduction

To reproduce this vulnerability, access the mailcow login page and include a crafted URL with `session_expired` and `redirect` parameters. The injected `redirect` value will be reflected in the page's JavaScript, disrupting normal functionality and potentially leading to a phishing scenario.

Remediation

Users are advised to upgrade to mailcow: dockerized version 2026-03b or later, where this vulnerability has been fixed.