Persistent and reflected XSS vulnerabilities in the themeMode cookie and _h URL parameters allow attackers to execute arbitrary Javascript through a multi-stage attack, potentially resulting in session hijacking and data exfiltration.
Details
Affected versions:
Axigen 10.3.x up to 10.3.3.66; fixed starting with 10.3.3.67
Axigen 10.4.x up to 10.4.41; fixed starting with 10.4.42
Axigen 10.5.x up to 10.5.28; fixed starting with 10.5.29
Vulnerability type: Cross Site Scripting (XSS)
Affected component(s): Axigen WebMail
Description:
The XSS vulnerabilities affect the themeMode cookie and _h parameter, allowing attackers to:
1. Inject Javascript — attackers can inject execute Javascript by taking advantage of lack of sanitization in the _h parameter. Since they are able to execute Javascript in the WebMail, they can also change the account's cookie values.
2. Execute Code Persistently — with cookie values changed to malicious Javascript payloads, taking advantage of an XSS vulnerability where WebMail reflects unsanitized cookie values, attackers can execute code persistently, as long as the cookie value they've set contains the malicious payload.
This multi-stage attack leverages the persistent nature of various application cookies (e.g. themeMode, readingPane), allowing attackers to maintain access and potentially conduct further actions within the user’s WebMail environment.
Reported by: Clément Lecigne • Google’s Threat Analysis Group
Solution
Update now from your WebAdmin.