CVE-2020-18723

MEDIUM

MDaemon Webmail < 20.0.1 - Stored Cross-Site Scripting in File Attachment Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-18723. PoCs published by Kailash Bohara.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in Alt-N MDaemon webmail versions prior to 20.0.0. The exploit involves renaming a file with a malicious payload and triggering the XSS when the victim interacts with the email.

Description

Stored cross-site scripting (XSS) in file attachment field in MDaemon webmail 19.5.5 allows an attacker to execute code on the email recipient side while forwarding an email to perform potentially malicious activities.

Exploits (1)

exploitdb WRITEUP
by Kailash Bohara · textwebappswindows
https://www.exploit-db.com/exploits/49537

This is a writeup describing a stored XSS vulnerability in Alt-N MDaemon webmail versions prior to 20.0.0. The exploit involves renaming a file with a malicious payload and triggering the XSS when the victim interacts with the email.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Alt-N MDaemon webmail < 20.0.0
Auth required
Prerequisites: Access to MDaemon webmail · Ability to send emails with attachments
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
http://kailashbohara.com.np/blog/2020/07/15/mdaemon-stored-xss

Scores

CVSS v3 5.4
EPSS 0.0380
EPSS Percentile 88.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
altn/mdaemon_webmail < 20.0.1
Published Feb 03, 2021
Tracked Since Feb 18, 2026