This vulnerability allows attackers to run arbitrary Javascript code, leveraging a logged-in end-user session. This could allow attackers to perform phishing attacks or exfiltrate data from the logged-in account.
Details
Affected versions:
Axigen 10.x up to 10.3.3.61; fixed starting with 10.3.3.62
Vulnerability type: Cross Site Scripting (XSS)
Affected component(s): Axigen WebMail
Pre-requisites: An existing valid end-user session.
Summary: An XSS vulnerability in Axigen WebMail's image attachment viewer, allowing attackers to inject HTML content and run arbitrary Javascript code. The exploit requires an active WebMail session (a logged-in end-user session).
Description: To exploit the vulnerability, attackers can send the end-user an email containing a crafted link. Once the link is clicked, the attacker can inject HTML / Javascript within Axigen WebMail’s pages, allowing exfiltration of mail data for the logged-in user, or the gain of user credentials or other relevant end-user info through a fake popup / authentication dialog running under the WebMail domain.
Additional notes: Axigen X4 (10.4.x) and X5 (10.5.x) are not affected; we always recommend you to stay up to date. Upgrade to Axigen X5
Reported by: Clément Lecigne • Google’s Threat Analysis Group
Solution
Upgrade now from your WebAdmin.