CVE-2022-31470

Name of the Vulnerable Software and Affected Versions Axigen Mobile WebMail versions prior to 10.2.3.12 Axigen Mobile WebMail versions 10.3.x prior to 10.3.3.47

Description The issue allows attackers to run arbitrary Javascript code, using an active end-user session for a logged-in user, to access and retrieve mailbox content. This is due to an XSS vulnerability in the index mobile changepass.hsp reset-password section.

Recommendations For versions prior to 10.2.3.12, update to version 10.2.3.12 or later. For versions 10.3.x prior to 10.3.3.47, update to version 10.3.3.47 or later. As a temporary workaround, consider restricting access to the index mobile changepass.hsp reset-password section until a patch is available.