Axigen Mobile WebMail XSS Vulnerability (CVE-2022-31470)

This vulnerability allows attackers to run arbitrary Javascript code that, using an active end-user session (for a logged-in user), can access and retrieve mailbox content.


Affected versions: 
Axigen; fixed starting with
Axigen; fixed starting with

Vulnerability type: Cross Site Scripting (XSS)

Affected component(s): Axigen Mobile WebMail

Pre-requisites: An existing valid end-user session.

Summary: An XSS vulnerability in the index_mobile_changepass.hsp reset-password section of Axigen Mobile WebMail allows attackers to run arbitrary Javascript code. The exploit requires an active end-user session (the user is logged-in) and allows the attacker to access and retrieve mailbox content.

Description: The vulnerability can be exploited regardless of whether or not the password reset functionality is exposed for the end users by the admins. To exploit the vulnerability, attackers can send the users a phishing email (or other type of message) containing a password reset link. Once the index_mobile_changepass.hsp section is accessed by the end-user, provided there is an active end-user session, attackers can run arbitrary Javascript code that can iterate through folders and emails, as well as retrieve them and send them to a remote endpoint through HTTP calls.


Upgrade now from your WebAdmin.

If you are unable to upgrade your Axigen deployment, you can perform a manual workaround by renaming the index_mobile_changepass.hsp file to one that can't be run by the Axigen server (e.g. you can just remove the extension by renaming to index_mobile_changepass).