Alt-N MDaemon | CVE-2024-23776

A high-severity security vulnerability, CVE-2024-23776, has been discovered in Alt-N MDaemon version 23.5.1, specifically in its handling of public and shared folder names within the application. This vulnerability allows for Authentication Cross-Site Scripting (XSS) attacks through specially crafted folder names, posing a significant risk to the security of users interacting with these folders. The vulnerability arises from a failure to properly sanitize user input when rendering folder names, enabling attackers to inject malicious HTML and JavaScript code. Consequently, when users interact with these folders, arbitrary scripts may execute, potentially leading to information disclosure and other malicious activities. The steps to reproduce the vulnerability include creating or renaming a public or shared folder, injecting the provided XSS payload into the folder name, and then accessing the folder through the application or sharing its link. This remote attack vector could be exploited to compromise the security of affected systems. Alt-N MDaemon users are strongly advised to upgrade to a patched version or implement mitigations to address this vulnerability promptly.