About Cross Site Scripting – MDaemon Email Server (CVE-2024-11182)

About Cross Site Scripting – MDaemon Email Server (CVE-2024-11182). An attacker can send an HTML-formatted email containing malicious JavaScript code embedded in an img tag. If the user opens the email in the MDaemon Email Server’s web interface, the malicious JavaScript code will execute in the context of the web browser window. This allows the attacker to steal credentials, bypass 2FA, and gain access to contacts and email messages.

On November 1, 2024, researchers from ESET discovered that the vulnerability was being exploited in the wild. They linked the exploitation of this and several other vulnerabilities in webmail interfaces (Roundcube: CVE‑2023‑43770, CVE‑2020‑35730; Zimbra: CVE‑2024‑27443; Horde) to a broader operation dubbed “RoundPress”.

MDaemon patched the vulnerability in version 24.5.1 (released Nov 14, 2024), but ESET disclosed attacks and a PoC exploit only on May 15, 2025. 🤷‍♂️ The flaw was added to the CISA KEV catalog on May 19.

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.