Alt-N MDaemon webmail 20.0.0 – ‘Contact name’ Stored Cross Site Scripting (XSS)

Exploit Database
17 阅读

作者： Kailash Bohara

日期： 2021-02-08
类别：
- webapps
平台：
- windows
来源：https://www.exploit-db.com/exploits/49536/

# Exploit Title: Alt-N MDaemon webmail 20.0.0 - 'Contact name' Stored Cross Site Scripting (XSS)
# Date: 2020-08-25
# Exploit Author: Kailash Bohara
# Vendor Homepage: https://www.altn.com/
# Version: Mdaemon webmail < 20.0.0
# CVE : 2020-18724

1. Go to contact section and distribution list menu. Create a new distribution list.
2. Contact name field is vulnerabile to XSS. Use the payload <img src=x onerror=alert(1)>
3. We can see execution code and after saving it, each time we visits the distribution list section the XSS pop-up is seen.

last Exploits
Alt-N MDaemon webmail 20.0.0 – ‘Contact name’ Stored Cross Site Scripting (XSS)的更多信息

Joomla! Component com_xball – ‘team_id’ SQL Injection：
CI User Login and Management 1.0 – Arbitrary File Upload：
Xibo – Cross-Site Request Forgery：
REDCap 11.3.9 – Stored Cross Site Scripting：
rconfig 3.9.6 – Arbitrary File Upload：
TestLink 1.9.3 – Cross-Site Request Forgery：
IBM RICOH InfoPrint 6500 Printer – HTML Injection：
Joomla! Component com_gigfe – SQL Injection：