Alt-N MDaemon | CVE-2024-23777

A high-severity security vulnerability, CVE-2024-23777, has been discovered in Alt-N MDaemon version 23.5.1, specifically in its handling of public and shared folder names within the application. This vulnerability allows for Authentication Cross-Site Scripting (XSS) attacks through specially crafted folder names, potentially compromising the security of users interacting with these folders. The XSS vulnerability stems from a failure to properly sanitize user input when rendering folder names within the application. Attackers can exploit this weakness by injecting crafted HTML and JavaScript code into the folder names, leading to the execution of arbitrary scripts when users interact with these folders. The steps to reproduce the vulnerability include creating or renaming a public or shared folder, injecting the provided XSS payload into the folder name, and then accessing the folder through the application or sharing its link. This remote attack vector could be exploited to disclose sensitive information to unauthorized parties.