221 matches found
Axigen WebMail - Cross-Site Scripting
Cross Site Scripting XSS vulnerability in Axigen versions 10.3.3.0 before 10.3.3.59, 10.4.0 before 10.4.19, and 10.5.0 before 10.5.5, allows authenticated attackers to execute arbitrary code and obtain sensitive information via the logic for switching between the Standard and Ajax versions. id:...
Axigen WebMail - Cross-Site Scripting
Axigen WebMail versions 10.5.0-4370c946 and older are vulnerable to reflected XSS via the m parameter in the /index.hsp endpoint. id: CVE-2022-31470 info: name: Axigen WebMail - Cross-Site Scripting author: AmirZargham severity: medium description: | Axigen WebMail versions 10.5.0-4370c946 and...
Axigen Mail Server Filename Directory Traversal
Multiple directory traversal vulnerabilities in the View Log Files component in Axigen Free Mail Server allow remote attackers to read or delete arbitrary files via a .. dot dot in the fileName parameter in a download action to source/loggin/pagelogdwnfile.hsp, or the fileName parameter in an edi...
CVE-2025-68723
Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting XSS vulnerabilities in the WebAdmin interface. Three instances exist: 1 the log file name parameter in the Local Services Log page, 2 certificate file content in the SSL Certificates View Usage feature, and 3 the...
CVE-2025-68721
Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint page=sslcerts. This allows the...
CVE-2025-68722
Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery CSRF vulnerability in the WebAdmin interface through improper handling of the s breadcrumb parameter. The application accepts state-changing requests via the GET method and automatically processes...
CVE-2025-68643
Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting XSS in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by...
CVE-2025-68643
Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting XSS in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by...
CVE-2025-68723
Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting XSS vulnerabilities in the WebAdmin interface. Three instances exist: 1 the log file name parameter in the Local Services Log page, 2 certificate file content in the SSL Certificates View Usage feature, and 3 the...
CVE-2025-68643
Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting XSS in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by...
CVE-2025-68721
Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint page=sslcerts. This allows the...
CVE-2025-68722
Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery CSRF vulnerability in the WebAdmin interface through improper handling of the s breadcrumb parameter. The application accepts state-changing requests via the GET method and automatically processes...
CVE-2025-68722
Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery CSRF vulnerability in the WebAdmin interface through improper handling of the s breadcrumb parameter. The application accepts state-changing requests via the GET method and automatically processes...
CVE-2025-68721
Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint page=sslcerts. This allows the...
EUVD-2025-206825
Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery CSRF vulnerability in the WebAdmin interface through improper handling of the s breadcrumb parameter. The application accepts state-changing requests via the GET method and automatically processes...
CVE-2025-68722
Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery CSRF vulnerability in the WebAdmin interface through improper handling of the s breadcrumb parameter. The application accepts state-changing requests via the GET method and automatically processes...
CVE-2025-68723
Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting XSS vulnerabilities in the WebAdmin interface. Three instances exist: 1 the log file name parameter in the Local Services Log page, 2 certificate file content in the SSL Certificates View Usage feature, and 3 the...
CVE-2025-68721
Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint page=sslcerts. This allows the...
CVE-2025-68723
Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting XSS vulnerabilities in the WebAdmin interface. Three instances exist: 1 the log file name parameter in the Local Services Log page, 2 certificate file content in the SSL Certificates View Usage feature, and 3 the...
CVE-2025-68721
Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint page=sslcerts. This allows the...