// For flags

CVE-2024-11182

Stored XSS vulnerability in MDaemon Email Server

Severity Score

5.3
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

An XSS issue was discovered in

MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message
with
JavaScript in an img tag. This could
allow a remote attacker

to load arbitrary JavaScript code in the context of a webmail user's browser window.

Se descubrió un problema de XSS en MDaemon Email Server anterior a la versión 24.5.1c. Un atacante puede enviar un mensaje de correo electrónico HTML con JavaScript en una etiqueta img. Esto podría permitir que un atacante remoto cargue código JavaScript arbitrario en el contexto de la ventana del navegador de un usuario de correo web.

*Credits: Matthieu Faou (ESET)
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
Passive
System
Vulnerable | Subsequent
Confidentiality
Low
Low
Integrity
Low
Low
Availability
None
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-11-13 CVE Reserved
  • 2024-11-15 CVE Published
  • 2024-11-20 EPSS Updated
  • 2024-11-21 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
  • CAPEC-592: Stored XSS
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
MDaemon
Search vendor "MDaemon"
 Email Server
Search vendor "MDaemon" for product "Email Server"
 <= 24.5.0
Search vendor "MDaemon" for product "Email Server" and version " <= 24.5.0"
en
Affected