PT-2024-34350 · Axigen · Axigen Mail Server
Clément Lecigne
·
Published
2024-11-11
·
Updated
2024-11-12
·
CVE-2024-50601
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Axigen Mail Server versions prior to 10.5.29
Description:
The issue concerns persistent and reflected XSS vulnerabilities in the
themeMode cookie and h URL parameter. This could allow attackers to execute arbitrary Javascript, potentially leading to session hijacking, data leakage, and further exploitation via a multi-stage attack.Recommendations:
For Axigen Mail Server versions prior to 10.3.3.67, update to version 10.3.3.67 or later.
For Axigen Mail Server versions 10.3.3.67 through 10.4.41, update to version 10.4.42 or later.
For Axigen Mail Server versions 10.4.42 through 10.5.28, update to version 10.5.29 or later.
As a temporary workaround, consider restricting access to the
h URL parameter and themeMode cookie to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Axigen Mail Server