header-logo
Suggest Exploit
vendor:
MDaemon Webmail
by:
Kailash Bohara
8.8
CVSS
HIGH
Stored Cross Site Scripting (XSS)
79
CWE
Product Name: MDaemon Webmail
Affected Version From: Mdaemon webmail < 20.0.0
Affected Version To: Mdaemon webmail < 20.0.0
Patch Exists: YES
Related CWE: 2020-18724
CPE: a:altn:mdaemon_webmail
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: None
2020

Alt-N MDaemon webmail 20.0.0 – ‘Contact name’ Stored Cross Site Scripting (XSS)

Go to contact section and distribution list menu. Create a new distribution list. Contact name field is vulnerabile to XSS. Use the payload <img src=x onerror=alert(1)>. We can see execution code and after saving it, each time we visits the distribution list section the XSS pop-up is seen.

Mitigation:

Input validation and output encoding should be used to prevent XSS attacks.
Source

Exploit-DB raw data:

# Exploit Title: Alt-N MDaemon webmail 20.0.0 - 'Contact name' Stored Cross Site Scripting (XSS)
# Date: 2020-08-25
# Exploit Author: Kailash Bohara
# Vendor Homepage: https://www.altn.com/
# Version: Mdaemon webmail < 20.0.0
# CVE : 2020-18724

1. Go to contact section and distribution list menu. Create a new distribution list.
2. Contact name field is vulnerabile to XSS. Use the payload <img src=x onerror=alert(1)>
3. We can see execution code and after saving it, each time we visits the distribution list section the XSS pop-up is seen.

Navigation

Suggest Exploit

Services By CQR