Stack-based buffer overflow in the IMAP server in Alt-N Technologies MDaemon 9.6.4 allows remote authenticated users to execute arbitrary code via a FETCH command with a long BODY.

Multiple cross-site scripting (XSS) vulnerabilities in clientResponse 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Subject or (2) Message field.