CVE-2024-11182
MEDIUM KEVMDaemon < 24.5.1 - Stored Cross-Site Scripting via HTML Email Image Tag
Title source: llmExploitation Summary
CVE-2024-11182 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 19, 2025.
Description
An XSS issue was discovered in MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message with JavaScript in an img tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window.
References (2)
Core 2
Core References
Release Notes
https://files.mdaemon.com/mdaemon/beta/RelNotes_en.html
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11182
Scores
CVSS v3
6.1
EPSS
0.1352
EPSS Percentile
94.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
total
Details
CISA KEV
2025-05-19
VulnCheck KEV
2025-05-15
ENISA EUVD
EUVD-2024-33681
CWE
CWE-79
Status
published
Products (1)
mdaemon/mdaemon
< 24.5.1
Published
Nov 15, 2024
KEV Added
May 19, 2025
Tracked Since
Feb 18, 2026