This vulnerability allows attackers to run arbitrary Javascript code that, using an active admin session (for a logged-in admin), can access the admin interface.
Details
Affected versions:
Axigen 10.3.3.0-10.3.3.60; fixed starting with 10.3.3.61
Axigen 10.4.0-10.4.23; fixed starting with 10.4.24
Axigen 10.5.0-10.5.9; fixed starting with 10.5.10
Vulnerability type: Cross Site Scripting (XSS)
Affected component(s): Axigen WebAdmin
Pre-requisites: An existing valid admin session.
Summary: An XSS vulnerability in the logic that enables admins view the usage of SSL certificates allows attackers to run arbitrary Javascript code. The exploit requires an active admin session (a user with administrative rights on the above mentioned section is logged-in) and allows the attacker to access the admin interface.
Description: To exploit the vulnerability, attackers can send the administrators a phishing email (or other type of message) containing a crafted link. Once the link is opened by the admin, provided there is an active admin session, attackers can run arbitrary Javascript code that can retrieve the cookie.
Reported by: Ch Muhammad Osama • Twitter | LinkedIn | Facebook
Solution
Upgrade now from your WebAdmin.