MDaemon Server v24.5 Release Notes: Webmail XSS Vulnerability Fix

From this webpage screenshot, we can extract the following key information regarding vulnerabilities and updates: 1. MDaemon Server v24.5 Release Notes: These are the release notes for MDaemon Server v24.5, including fixed bugs, new features, and special considerations. 2. Fixed Bugs: - [28336] Webmail - Browser may hang when viewing certain HTML messages. - [28087] Pro Theme - Clicking "Cancel" then "Show My Shared Key" disables two-factor authentication. - [28096] Pro Theme - When sending a message to a disabled account, the error message does not display the address. - [28130] MDRA - The message "MDaemon is retrieving your settings search cache" never disappears unless any custom queues are set. - [28105] MDRA - Error occurs when editing messages. - [28075] Pro Theme - Message list displays blank areas. - [28161] MDaemon Connector Client Settings - Unable to change tags. - [28165] MDaemon - Unable to add wildcard entries on the account limits page. - [28171] Pro Theme - Unable to send mail using non-standard ports. - [28183] Pro Theme - When requiring full email address in the subject, user names cannot be used. - [28147] Outbreak Protection - Error log processing is skipped if the sender is in the recipient’s allowed senders folder. - [28195] Potential crash when Outbreak Protection initialization fails. - [28148] MDRA - Cancel button is always disabled on the Active Sync edit policy page for default policy. - [28200] AutoDiscover - Ports are not included in IMAP or POP3 unless they have SRV records. - [28201] AutoDiscover - CalDAV and CardDAV URLs are incorrect when using non-standard ports. - [28223] Public folder ticketing system creates invalid folder names in French version of MDaemon. - [28247] MDaemon - Potential crash. - [28309] Webmail - XSS vulnerability. - [28271] Webmail - Messages with invalid URLs may not display correctly. - [28314] Content Filter - Unable to check restricted attachments in specific ZIP files. - [28318] Potential crash in MDAirSync.dll. 3. New Features and Changes: - Added settings search functionality. - Added integration between MDaemon and OneDrive. - Added WebAuthn management tool. - Added password recovery email. - Added group management editor. - Added confirmation dialog for Delete and Delete All buttons. 4. Other Updates: - XMLAPI - Ability to download log files via FileTransfer Operation. - XMLAPI - Management and reporting of scheduled publication URLs. - Improved antivirus scan exclusions. - Improved OAUTH support for ActiveSync migration client. - Dynamic filtering - When an account fails authentication too many times, it is added to a new blocked accounts list. Blocked accounts can still log in from trusted IPs and IPs on the dynamic allow list. Accounts in the exempt accounts list are not added to the blocked accounts list. This information helps understand the vulnerabilities fixed and new features introduced in MDaemon Server v24.5, enabling appropriate security measures when using the software.

Goal Reached Thanks to every supporter — we hit 100%!

MDaemon Server v24.5 Release Notes: Webmail XSS Vulnerability Fix