CVE-2024-11182
Stored XSS vulnerability in MDaemon Email Server
In short
MDaemon Email Server before version 24.5.1c allows attackers to send malicious HTML emails with JavaScript code hidden in image tags. When a webmail user opens such an email, the attacker's script runs in their browser, potentially stealing login credentials or performing unauthorized actions.
Technical detail
Stored XSS vulnerability in MDaemon Email Server's webmail interface via unsanitized HTML email content, specifically JavaScript embedded in img tag attributes. Attack vector requires user interaction (opening email), but persistence is achieved through stored malicious email; successful exploitation grants attacker session access and ability to perform actions as the victim user.
Summary generated and translated by AI from the official description.
An XSS issue was discovered in
MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message
with
JavaScript in an img tag. This could
allow a remote attacker
to load arbitrary JavaScript code in the context of a webmail user's browser window.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Affected products
MDaemon · Email ServerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →