CVE-2024-11182

Published Nov 15, 2024

Last updated 5 months ago

Exploit knownCVSS medium 5.3
MDaemon Email Server
SMTP

Overview

Description
An XSS issue was discovered in MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message with JavaScript in an img tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window.
Source
security@eset.com
NVD status
Modified
Products
mdaemon

Risk scores

CVSS 4.0

Type
Secondary
Base score
5.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Primary
Base score
6.1
Impact score
2.7
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Known exploits

Data from CISA

Vulnerability name
MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
Exploit added on
May 19, 2025
Exploit action due
Jun 9, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

security@eset.com
CWE-79
nvd@nist.gov
CWE-79

Social media

Hype score
Not currently trending

  1. Fancy Bear spearphishing exploiting CVE-2024-11182 to deliver SpyPress https://t.co/wCHfNfUdnn https://t.co/PAPOEzT26N

    @scandaletti

    1 Jun 2025

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Operation RoundPress by Fancy Bear exploits XSS vulnerabilities, including CVE-2024-11182 in MDaemon, to deploy SpyPress malware and target Ukrainian government and defense contractors. Global expansion observed in 2024 🌐🚨 #Ukraine #Webmail https://t.co/VxePyZzxE1

    @TweetThreatNews

    31 May 2025

    124 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Fancy Bear spearphishing exploiting CVE-2024-11182 to deliver SpyPress https://t.co/CZjriidIcJ https://t.co/1AbHwaZjmw

    @iVarunVerma

    30 May 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Fancy Bear spearphishing exploiting CVE-2024-11182 to deliver SpyPress https://t.co/jDVWewg1ZN https://t.co/tB1N0XW8ga

    @mayurk21

    30 May 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Fancy Bear spearphishing exploiting CVE-2024-11182 to deliver SpyPress https://t.co/PmT3xl8t4Q https://t.co/CGu0jvg0YP

    @SirajD_Official

    30 May 2025

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Fancy Bear spearphishing exploiting CVE-2024-11182 to deliver SpyPress https://t.co/YyOcGNET2C https://t.co/Wkwk5ZpGJz

    @CloudVirtues

    29 May 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. MDaemon patched CVE-2024-11182 (reported by ESET) in version 24.5.1 (Nov 14, 2024). Yet ESET only disclosed on May 15, 2025, that the vulnerability had been exploited in the wild from the start. 🤷‍♂️ #MDaemon #ESET ➡️ https://t.co/wGVFZzR5wP https://t.co/7zJyBZnRHY

    @leonov_av

    29 May 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Fancy Bear spearphishing exploiting CVE-2024-11182 to deliver SpyPress https://t.co/dsTlrkvPI6 https://t.co/5ujPB43bKm

    @IdentityJason

    29 May 2025

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2024-11182 #MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability https://t.co/6ymfk90y3E

    @ScyScan

    22 May 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. MDaemon XSS Exploited APT actors are exploiting CVE-2024-11182, a critical vulnerability in MDaemon email servers, impacting government and enterprise systems. 🔗https://t.co/1tCPjqyF14 #CyberSecurity #DPI #CVE20241182

    @TuringCyberObs

    16 May 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. #APT28 Different XSS vulnerabilities being used to target additional webmail software: Horde, MDaemon, and Zimbra. Roundcube CVE-2020-35730 CVE-2023-43770 MDaemon CVE-2024-11182 Outlook Elevation of Privilege Vul CVE-2023-23397 Zimbra CVE-2024-27443 https://t.co/VX2gyK5WkH https:

    @blackorbird

    16 May 2025

    3161 Impressions

    22 Retweets

    63 Likes

    23 Bookmarks

    0 Replies

    0 Quotes

  12. ロシアのハッカーグループ「Fancy Bear」が、ウクライナの高官や軍需企業のメールアカウントを標的としたサイバースパイ活動を展開。ゼロデイ脆弱性「CVE-2024-11182」を含む複数のWebメールソフトの脆弱性を悪

    @01ra66it

    15 May 2025

    740 Impressions

    5 Retweets

    10 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  13. CVE-2024-11182 Cross-Site Scripting in MDaemon Email Server Pre-24.5.1c An XSS problem was found in MDaemon Email Server before version 24.5.1c. An attacker can send an HTML email with JavaScript inside an img ta... https://t.co/wKv8GukOjz

    @VulmonFeeds

    15 Nov 2024

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. CVE-2024-11182 An XSS issue was discovered in MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message with JavaScript in an img tag. This could … https://t.co/vw3YUyRw5r

    @CVEnew

    15 Nov 2024

    321 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \r\n into the SMTP envelope address local-part (when the local-part is a quoted-string). This is non-compliant with RFC 5321 and can result in SMTP command injection (e.g., injecting additional RCPT TO / DATA / RSET commands) and/or mail header injection, depending on how the application uses MailKit/MimeKit to construct and send messages. The issue becomes exploitable when the attacker can influence a MailboxAddress (MAIL FROM / RCPT TO) value that is later serialized to an SMTP session. RFC 5321 explicitly defines the SMTP mailbox local-part grammar and does not permit CR (13) or LF (10) inside Quoted-string (qtextSMTP and quoted-pairSMTP ranges exclude control characters). SMTP commands are terminated by <CRLF>, making CRLF injection in command arguments particularly dangerous. This issue has been patched in version 4.15.1.CVE-2026-30227
  2. Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.CVE-2026-26093
  3. SmarterTools SmarterMail Missing Authentication for Critical Function VulnerabilityCVE-2026-24423
  4. Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.CVE-2026-23829
  5. SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type VulnerabilityCVE-2025-52691

References

Sources include official advisories and independent security research.