CVE-2025-3929 MEDIUM

CVE-2025-3929: Stored XSS vulnerability in MDaemon Email Server

Vendor Mdaemon

Product Email Server

Weakness CWE-79 · XSS

Published April 29, 2025

Last update April 29, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

An XSS issue was discovered in MDaemon Email Server version 25.0.1 and below. An attacker can send a specially crafted HTML e-mail message with JavaScript in an img tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window, and access user data.

Key dates

02Disclosure timeline

April 29, 2025 CVE published

April 29, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-3929 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-9877 Embed Google Datastudio <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-28096 Stored Cross-site Scripting in Class functionality in Schoolbox CVE-2025-2709 Yonyou UFIDA ERP-NC login.jsp cross site scripting CVE-2025-3510 tagDiv Composer <= 5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes CVE-2024-12435 Compare Products for WooCommerce <= 3.2.1 - Reflected Cross-Site Scripting