CVE-2022-29975 | CVE-2022-29976 | Alt-N MDaemon upto 20.00 Cross-Site Scripting (XSS)
Description
On May 11, An Authenticated Reflected Cross-site scripting at CC and BCC Parameters was discovered in MDaemon before 22.0.0 by the security team of Green Tick Nepal Pvt. Ltd. Located in Kathmandu, Nepal.
Proof of Concept
The Security Team of Green Tick Nepal Pvt. Ltd. published a Proof of Concept (POC) for MDaemon Technologies. The vulnerability was found in Alt-N MDaemon- Mail Server Software and categorized as Exploitable. The manipulation of the parameters CC and BCC with the maliciously crafted payload led to a cross-site scripting vulnerability. The CWE definition for the vulnerability is CWE-79 and such vulnerability affects integrity. An attacker may be able to inject the maliciously crafted payload which could alter the appearance and could make it possible to initiate further attacks against site visitors. Eventually, the victim’s browser could be taken over.
Solution
As per the MDaemon Technologies security team, the issue has been resolved.
| CVE-ID | Description | Products |
| CVE-2022-29975 | An Authenticated Reflected Cross-site scripting at CC Parameter was discovered in MDaemon before 22.0.0 | MDaemon Technologies Version 22.0.0 |
| CVE-2022-29976 | An Authenticated Reflected Cross-site scripting at BCC Parameter was discovered in MDaemon before 22.0.0 | MDaemon Technologies Version 22.0.0 |
Responsible Disclosure Timeline
| Date | Remarks |
| March 30, 2022 | The vulnerability was found and submitted to the vendor. |
| April 05, 2022 | Received Acknowledgement e-mail from the vendor. |
| April 25, 2022 | The vendor confirmed that the vulnerabilities were fixed. |
| May 11, 2022 | CVE Published
|
References
