Axigen WebAdmin XSS Vulnerability (CVE-2023-49101)

This vulnerability allows attackers to run arbitrary Javascript code that, using an active admin session (for a logged-in admin), can access the admin interface.

Details

Affected versions:
Axigen 10.3.3.0-10.3.3.60; fixed starting with 10.3.3.61
Axigen 10.4.0-10.4.23; fixed starting with 10.4.24
Axigen 10.5.0-10.5.9; fixed starting with 10.5.10

Vulnerability type: Cross Site Scripting (XSS)

Affected component(s): Axigen WebAdmin

Pre-requisites: An existing valid admin session.

Summary: An XSS vulnerability in the logic that enables admins view the usage of SSL certificates allows attackers to run arbitrary Javascript code. The exploit requires an active admin session (a user with administrative rights on the above mentioned section is logged-in) and allows the attacker to access the admin interface.

Description: To exploit the vulnerability, attackers can send the administrators a phishing email (or other type of message) containing a crafted link. Once the link is opened by the admin, provided there is an active admin session, attackers can run arbitrary Javascript code that can retrieve the cookie.

Reported by: Ch Muhammad Osama • Twitter | LinkedIn | Facebook

Solution

Upgrade now from your WebAdmin.

security• patch• CVE• vulnerability

Quick link: https://www.axigen.com/kb/show/400 Copy link

Axigen is a premium, scalable, all-in-one Windows & Linux mail server software. A free mail server version is available for personal and lab use, along with the business mail server and the MSP mail server, for Managed Service Providers, which also include features like personal organizer, groupware, AntiVirus, AntiSpam, or advanced security policies. The carrier-class ISP mail server solution completes the Axigen offering and comes with clustering support, delegated administration, extensive APIs, as well as a cloud-native, Kubernetes based deployment option.