CVE-2024-11182
published 2024-11-15CVE-2024-11182: An XSS issue was discovered in MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message with JavaScript in an img tag. This…
PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-06-09
Exploited in the wild
EPSS
17.11%
96.7th percentile
An XSS issue was discovered in
MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message
with
JavaScript in an img tag. This could
allow a remote attacker
to load arbitrary JavaScript code in the context of a webmail user's browser window.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mdaemon | email_server | <= 24.5.0 | — |
| mdaemon | mdaemon | < 24.5.1 | 24.5.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect inbound emails containing a noembed tag with a malformed title attribute, which is the specific injection vector used to smuggle JavaScript payloads through MDaemon's HTML parser. ↗
- →Detect inbound HTML emails containing JavaScript embedded within img tags, as this is the documented delivery mechanism for CVE-2024-11182. ↗
- →Monitor webmail sessions for outbound HTTP POST requests to hardcoded external addresses originating from within the webmail browser context, which is the exfiltration method used by the payload. ↗
- →Look for JavaScript in email bodies that creates invisible input fields, a technique used to trigger browser/password manager autofill for credential harvesting. ↗
- →Inspect email HTML bodies for scripts that read the DOM or issue HTTP requests to collect email content, contacts, webmail settings, login history, 2FA data, and passwords — all observed payload behaviors. ↗
- →Spear-phishing delivery context: emails referencing current news or political events with embedded news article excerpts should be treated as higher-risk for this campaign's initial access vector. ↗
- →Monitor MDaemon App Password creation events following email opens, as the payload was observed establishing persistent access via App Passwords after exploiting the XSS. ↗
- ·The payload has no persistence mechanism and only executes when the malicious email is opened — detection must therefore focus on the email delivery and in-session network activity, not on host-based persistence artifacts. ↗
- ·No victim interaction beyond opening the email is required, meaning click-based or redirect-based detection controls will not catch this exploit. ↗
- ·Each deployed script has slightly different capabilities tuned per target product, so signature-based detection on a single payload variant may miss adapted versions. ↗
- ·Patching to MDaemon Email Server version 24.5.1c or later is required to remediate the vulnerability; CISA remediation deadline is 2025-06-09. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.3MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck5.3MEDIUM
cisa5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
cisa·2025-05-19·CVSS 5.3
CVE-2024-11182 [MEDIUM] CWE-79 MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
Vulnerability: MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
Affected: MDaemon Email Server
MDaemon Email Server contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to load arbitrary JavaScript code via an HTML e-mail message.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://files.mdaemon.com/mdaemon/beta/RelNotes_en.html ; https://mdaemon.com/pages/downloads-critical-updates ; https://nvd.nist.gov/vuln/detail/CVE-2024-11182
Remediation Due Date: 2025-06-09
GHSA
GHSA-q3fg-4x56-mx94: An XSS issue was discovered in
MDaemon Email Server before version 24
ghsa_unreviewed·2024-11-15
CVE-2024-11182 [MEDIUM] CWE-79 GHSA-q3fg-4x56-mx94: An XSS issue was discovered in
MDaemon Email Server before version 24
An XSS issue was discovered in
MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message
with
JavaScript in an img tag. This could
allow a remote attacker
to load arbitrary JavaScript code in the context of a webmail user's browser window.
VulnCheck
MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
vulncheck·2024·CVSS 5.3
CVE-2024-11182 [MEDIUM] CWE-79 MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
MDaemon Email Server contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to load arbitrary JavaScript code via an HTML e-mail message.
Affected: MDaemon Email Server
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.welivesecurity.com/en/eset-research/operation-roundpress/; https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2024-q1-2025.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cyble.com/blog/latest-security-vulnerabilities-ivanti/; h
No detection rules found.
No public exploits indexed.
2024-11-15
Published
2025-05-19
Added to CISA KEV
Exploited in the wild