Persistent and reflected XSS vulnerabilities in the themeMode cookie and _h URL parameter of Axigen Mail Server up to version 10.5.28 allow attackers to execute arbitrary Javascript. Exploitation could lead to session hijacking, data leakage, and further exploitation via a multi-stage attack. Fixed in versions 10.3.3.67, 10.4.42, and 10.5.29.
History

Tue, 12 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Axigen
Axigen axigen Mail Server
Weaknesses CWE-79
CPEs cpe:2.3:a:axigen:axigen_mail_server:-:*:*:*:*:*:*:*
Vendors & Products Axigen
Axigen axigen Mail Server
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 11 Nov 2024 23:00:00 +0000

Type Values Removed Values Added
Description Persistent and reflected XSS vulnerabilities in the themeMode cookie and _h URL parameter of Axigen Mail Server up to version 10.5.28 allow attackers to execute arbitrary Javascript. Exploitation could lead to session hijacking, data leakage, and further exploitation via a multi-stage attack. Fixed in versions 10.3.3.67, 10.4.42, and 10.5.29.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-11-11T00:00:00

Updated: 2024-11-12T15:54:01.976Z

Reserved: 2024-10-27T00:00:00

Link: CVE-2024-50601

cve-icon Vulnrichment

Updated: 2024-11-12T15:53:55.736Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-11T23:15:05.763

Modified: 2024-11-12T16:35:22.810

Link: CVE-2024-50601

cve-icon Redhat

No data.