Alt-N MDaemon webmail 20.0.0 – ‘Contact name’ Stored Cross Site Scripting (XSS)

• Exploit Database
• 120 阅读

• 作者： Kailash Bohara
  日期： 2021-02-08
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/49536/
• 1 2 3 4 5 6 7 8 9 10 11

  # Exploit Title: Alt-N MDaemon webmail 20.0.0 - &apos;Contact name&apos; Stored Cross Site Scripting (XSS) # Date: 2020-08-25 # Exploit Author: Kailash Bohara # Vendor Homepage: https://www.altn.com/ # Version: Mdaemon webmail < 20.0.0 # CVE : 2020-18724   1. Go to contact section and distribution list menu. Create a new distribution list. 2. Contact name field is vulnerabile to XSS. Use the payload <img src=x onerror=alert(1)> 3. We can see execution code and after saving it, each time we visits the distribution list section the XSS pop-up is seen.