www.belgium.be Logo of the federal government

Warning: High-severity XSS vulnerability in Axigen mail server software

Reference: 
Advisory #2023-141
Version: 
1.0
Affected software: 
Axigen 10.3.3.0 until and including Axigen 10.3.3.60
Axigen 10.4.0 until and including Axigen 10.4.23
Axigen 10.5.0 until and including Axigen 10.5.9
Type: 
Cross-Site Scripting (XSS)
CVE/CVSS: 

CVE-2023-49101 / 7.8 High

Date: 
27/11/2023

Sources

Axigen - https://www.axigen.com/knowledgebase/Axigen-WebAdmin-XSS-Vulnerability-CVE-2023-49101-_400.html

Risks

The Cross-Site Scripting vulnerability affecting Axigen's mail server software allows an attacker to access the administrator's interface.

Description

CVE-2023-49101 - Cross-Site Scripting (XSS) vulnerability

The vulnerability allows an attacker to run arbitrary Javascript code and carry out a cross-site scripting attack against a vulnerable system.

Exploitation of this flaw requires attackers to send a phishing email (or other type of message) to an administrator containing a crafted link. Once the link is opened by the administrator, provided there is an active admin session, attackers can run arbitrary Javascript code that can retrieve the administrator's session cookie. Attackers can then use this cookie to impersonate the administrator in the Axigen mail server software to access its administrative interface.

Recommended Actions

The Centre for Cyber Security Belgium strongly recommends system administrators to visit the adequate for the version Axigen updates page to download and install the patched version of this software.

Axigen's updates pages: