The Benno MailArchiv Web-App is vulnerable to cross-site-scripting if benno-rest-lib / benno-rest prior 2.10.1 is used.
To exploit the vulnerability the attacker sends an email containing malicious javascript to an mailbox which is archived by Benno MailArchiv. When a user logs into the Benno Web-App and views the malicious e-mail, the javascript is executed.
echo '<script>alert(1)</script>' | mail -s "$(echo -e "This is the subject\nContent-Type: text/html")" victim@domain.tld