A stored XSS vulnerability in the timeFormat account preference parameter allows attackers to execute arbitrary JavaScript through a multi-stage attack, potentially resulting in credential theft, session hijacking, and data exfiltration.
Details
Affected versions:
Axigen 10.3.x, 10.4.x, 10.5.x up to 10.5.56; fixed starting with 10.5.57
Axigen 10.6.x up to 10.6.25; fixed starting with 10.6.26
Vulnerability type: Cross Site Scripting (XSS)
Affected component(s): Axigen WebMail
Prerequisites: The attacker must first compromise the victim's timeFormat account preference by exploiting a separate vulnerability or using compromised credentials (multi-stage attack).
Description:
The timeFormat account preference parameter is not sanitized by Axigen WebMail when loaded from storage. If an attacker manages to modify this parameter as part of a multi-stage attack, they can inject JavaScript into the WebMail interface.
The attack follows two stages:
- Initial Compromise — the attacker exploits a separate vulnerability or uses compromised credentials to modify the victim's timeFormat account preference, setting it to a malicious payload that injects HTML into the page.
- Payload Execution — when the victim logs into WebMail, the unsanitized timeFormat value is loaded from account storage and inserted into the DOM. The injected payload can redirect resource loading to an attacker-controlled server, enabling the attacker to serve malicious JavaScript that displays fake login forms or performs other actions within the victim's browser session.
This vulnerability was confirmed exploited in production environments running older, unsupported Axigen versions with known first-stage vulnerabilities.
Solution
Update now from your WebAdmin.