Vulnerability detail

Enriched intelligence for a single CVE

PRO Back to KEVs

5.3

CVSS
Medium

CVE-2024-11182

PUBLISHED

Stored XSS vulnerability in MDaemon Email Server

377 days faster than CISA KEV

Exploited in the wild Remote Low complexity

Vendor: MDaemon
Product: Email Server
Published: Nov 15, 2024
EPSS: 13.5% · 94% pctl

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

An XSS issue was discovered in MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message with JavaScript in an img tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window.

cisa

Weaknesses (CWE)

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores

CVSS v4.0 5.3 Medium

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

CVSS v3.1 6.1 Medium

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitation status

Exploited in the wild

Recorded 2025-05-21 13:10:31 UTC · CVE

References

https://files.mdaemon.com/mdaemon/beta/RelNotes_en.html

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CVE First	2025-05-21 13:10 UTC
CISA	2026-06-02 14:07 UTC

Timeline

CVE ID Reserved

2024-11-13 15:38 UTC
CVE Published to Public

2024-11-15 10:43 UTC
Added to KEVIntel

2025-05-21 13:10 UTC
KEV confirmed by CISA

2026-06-02 14:07 UTC