CVE-2024-11182

medium

Description

An XSS issue was discovered in MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message with JavaScript in an img tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window.

References

Exploits
More

https://securityaffairs.com/178140/security/u-s-cisa-adds-ivanti-epmm-mdaemon-email-server-srimax-output-messenger-zimbra-collaboration-and-zkteco-biotime-flaws-to-its-known-exploited-vulnerabilities-catalog.html

https://www.infosecurity-magazine.com/news/russian-apt-intensify-cyber/

https://www.cisa.gov/news-events/alerts/2025/05/19/cisa-adds-six-known-exploited-vulnerabilities-catalog

https://www.securityweek.com/russian-apt-exploiting-mail-servers-against-government-defense-organizations/

https://www.infosecurity-magazine.com/news/fancy-bear-russia-cyber-espionage/

https://www.welivesecurity.com/en/eset-research/operation-roundpress/

https://www.bleepingcomputer.com/news/security/government-webmail-hacked-via-xss-bugs-in-global-spy-campaign/

https://thehackernews.com/2025/05/russia-linked-apt28-exploited-mdaemon.html

https://cyberscoop.com/russia-fancy-bear-gru-ukrainian-military-contractors/

https://files.mdaemon.com/mdaemon/beta/RelNotes_en.html

Details

Source: Mitre, NVD

Published: 2024-11-15

Updated: 2025-05-21

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

CVSS v4

Base Score: 5.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Severity: Medium

EPSS

EPSS: 0.39826