CVE-2021-27180

MEDIUM

MDaemon < 20.0.4 - Reflected Cross-Site Scripting in Webmail via GET Request

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-27180. PoCs published by chudyPB.

AI-analyzed exploit summary This repository documents multiple vulnerabilities in MDaemon, including a reflected XSS (CVE-2021-27180), CSRF token fixation (CVE-2021-27181), iframe injection (CVE-2021-27182), and RCE (CVE-2021-27183). The vulnerabilities were patched in January 2021 and can be chained for RCE or account takeover with user interaction.

Description

An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.

Exploits (1)

nomisec WRITEUP 2 stars
by chudyPB · poc
https://github.com/chudyPB/MDaemon-Advisories

This repository documents multiple vulnerabilities in MDaemon, including a reflected XSS (CVE-2021-27180), CSRF token fixation (CVE-2021-27181), iframe injection (CVE-2021-27182), and RCE (CVE-2021-27183). The vulnerabilities were patched in January 2021 and can be chained for RCE or account takeover with user interaction.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Theoretical
Target: MDaemon (versions prior to January 2021 patch)
No auth needed
Prerequisites: User interaction required · Target must be using unpatched MDaemon version
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/chudyPB/MDaemon-Advisories

Scores

CVSS v3 6.1
EPSS 0.0093
EPSS Percentile 56.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
altn/mdaemon < 20.0.4
Published Apr 14, 2021
Tracked Since Feb 18, 2026