This CHT Posted November 4, 2022 Group: The leader of the Content Count: 4,798 Achievement Points: 31,702 With Us For: 244 Days Status: Offline Last Seen: May 19 Device: Windows Share Posted November 4, 2022 # Exploit Title: Alt-N MDaemon webmail 20.0.0 - 'Contact name' Stored Cross Site Scripting (XSS) # Date: 2020-08-25 # Exploit Author: Kailash Bohara # Vendor Homepage: https://www.altn.com/ # Version: Mdaemon webmail < 20.0.0 # CVE : 2020-18724 1. Go to contact section and distribution list menu. Create a new distribution list. 2. Contact name field is vulnerabile to XSS. Use the payload <img src=x onerror=alert(1)> 3. We can see execution code and after saving it, each time we visits the distribution list section the XSS pop-up is seen. Link to comment Share on other sites More sharing options...
Recommended Posts