Bulwark Webmail, a self-hosted webmail client for Stalwart Mail Server, had an XSS vulnerability (CWE-79) in versions before 1.4.11. The reverse proxy component (proxy.ts) used the Content-Security-Policy-Report-Only header rather than the enforcing Content-Security-Policy header, meaning malicious scripts injected by users (e.g., through crafted email HTML) were logged but not blocked. This allowed attackers to execute arbitrary JavaScript in the context of the webmail application, potentially leading to session token theft or unauthorized actions. The issue is resolved in version 1.4.11.

Exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript in the context of the affected webmail application, potentially leading to session hijacking or unauthorized actions performed on behalf of the user. The CVSS 4.0 score is 5.3 (medium severity), indicating a moderate risk without requiring privileges or user interaction beyond viewing crafted email content.

Upgrade Bulwark Webmail to version 1.4.11 or later, where the reverse proxy sets an enforcing Content-Security-Policy header instead of a report-only header, effectively blocking XSS attacks. No other mitigation is indicated or necessary once the update is applied.