CVE-2025-68643

Name of the Vulnerable Software and Affected Versions Axigen Mail Server versions prior to 10.5.57

Description The software contains a stored Cross-Site Scripting (XSS) issue in how it handles the timeFormat account preference parameter. An attacker can leverage this by injecting a malicious JavaScript payload into the timeFormat preference. When a victim logs into the WebMail interface, the unsanitized timeFormat value is loaded and inserted into the Document Object Model (DOM), leading to script execution. This requires a multi-stage attack, potentially involving exploiting a separate issue or using compromised credentials to initially inject the payload.

Recommendations Update to version 10.5.57 or later.