Axigen WebMail XSS Vulnerability (CVE-2024-25080)

This vulnerability allows attackers to run arbitrary Javascript code, leveraging a logged-in end-user session. This could allow attackers to perform phishing attacks or exfiltrate data from the logged-in account.


Affected versions: 
Axigen 10.x up to; fixed starting with

Vulnerability type: Cross Site Scripting (XSS)

Affected component(s): Axigen WebMail

Pre-requisites: An existing valid end-user session.

Summary: An XSS vulnerability in Axigen WebMail's image attachment viewer, allowing attackers to inject HTML content and run arbitrary Javascript code. The exploit requires an active WebMail session (a logged-in end-user session).

Description: To exploit the vulnerability, attackers can send the end-user an email containing a crafted link. Once the link is clicked, the attacker can inject HTML / Javascript within Axigen WebMail’s pages, allowing exfiltration of mail data for the logged-in user, or the gain of user credentials or other relevant end-user info through a fake popup / authentication dialog running under the WebMail domain.

Additional notes: Axigen X4 (10.4.x) and X5 (10.5.x) are not affected; we always recommend you to stay up to date. Upgrade to Axigen X5


Reported by: Clément Lecigne  •   Google’s Threat Analysis Group


Upgrade now from your WebAdmin.