Skip to content

v1.19.3

Compare
Choose a tag to compare
@axllent axllent released this 26 Jul 10:52
· 117 commits to develop since this release

This release includes an important security fix, so upgrading is strongly recommended.

A vulnerability was discovered which allowed a bad actor with SMTP access to Mailpit to bypass the Content Security Policy headers using a series of crafted HTML messages which could result in a stored XSS attack via the web UI. A special thanks to @bmodotdev for responsibly disclosing the vulnerability, proving information and an draft fix. Additional preventative measures have also been added (see below).

  • The CSP headers have been hardened and require a valid nonce ID to run. This will make it impossible to inject any other local JavaScript files (remote & inline JavaScript was already blocked).
  • All message HTML is now sanitized via DOMPurify before rendering in the preview. This will remove all unsupported elements such as<script> & <iframe> (which aren't allowed to run anyway), and make the HTML even safer. There has had significant testing to try ensure regular message previews do not break as a result, but should you experience issues then please report these via the issue tracker.

Changelog

Fix

  • Security: Prevent bypass of Contend Security Policy using stored XSS, and sanitize preview HTML data (DOMPurify)

Chore

  • Update Go dependencies
  • Display nicer <noscript> message when JavaScript is disabled