MDaemon Advisories:
-
CVE-2021-27180 (Reflected XSS)
-
CVE-2021-27181 (CSRF Token Fixation)
-
CVE-2021-27182 (Iframe injection)
-
CVE-2021-27183 (Remote Code Execution)
Those vulnerabilities were already patched on January 2021 and are published for CVE purposes. They can be chained to achieve RCE/Account Takeover over email message (user interaction required).
Timeline:
15-Dec-2020: Vulnerabilities reports sent to the vendor
12-Jan-2021: Patch published
Patch notes:
https://www.altn.com/Support/SecurityUpdate/MD011221_MDaemon_EN/
Thank you MDaemon Technologies for quick fixes and good cooperation. :)