Primary

Context

MDaemon Email Server Cross-Site Scripting Vulnerability

Vulnerability

Patched

A cross-site scripting (XSS) vulnerability exists in MDaemon Email Server versions 25.0.1 and earlier. This issue allows remote attackers to inject arbitrary JavaScript into an HTML email, which could then be executed in the context of the webmail user's browser, potentially accessing sensitive user data.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the user's browser, potentially leading to the theft of cookies or session tokens, or other sensitive information accessible to the user.

Remediation

Users can update to MDaemon Email Server version 25.0.2 or higher. For those using versions 24.5.x, 24.0.x, 23.5.x, 23.0.x, 22.0.x, 21.5.x, 21.0.x, or 20.x.x, specific update instructions are available on the MDaemon website. Security Gateway for Email users should download the current version from the Security Gateway Downloads page.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.5

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.5

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MDaemon Email Server Cross-Site Scripting Vulnerability

Vulnerability

Impact

Remediation

Affected Products

MDaemon Email Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating