This release includes an important security fix, so upgrading is strongly recommended.
A vulnerability was discovered which allowed a bad actor with SMTP access to Mailpit to bypass the Content Security Policy headers using a series of crafted HTML messages which could result in a stored XSS attack via the web UI. A special thanks to @bmodotdev for responsibly disclosing the vulnerability, proving information and an draft fix. Additional preventative measures have also been added (see below).
- The CSP headers have been hardened and require a valid nonce ID to run. This will make it impossible to inject any other local JavaScript files (remote & inline JavaScript was already blocked).
- All message HTML is now sanitized via DOMPurify before rendering in the preview. This will remove all unsupported elements such as
<script>&<iframe>(which aren't allowed to run anyway), and make the HTML even safer. There has had significant testing to try ensure regular message previews do not break as a result, but should you experience issues then please report these via the issue tracker.
Changelog
Fix
- Security: Prevent bypass of Contend Security Policy using stored XSS, and sanitize preview HTML data (DOMPurify)
Chore
- Update Go dependencies
- Display nicer
<noscript>message when JavaScript is disabled