CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 2CVE-2023-48974 – Axigen < 10.5.7 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-48974
Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to escalate privileges via a crafted script to the serverName_input parameter. Vulnerabilidad de cross-site scripting en Axigen WebMail v.10.5.7 y anteriores permite a un atacante remoto escalar privilegios a través de un script manipulado al parámetro serverName_input. • https://www.exploit-db.com/exploits/51963 https://github.com/vinnie1717/CVE-2023-48974 https://www.axigen.com/mail-server/download https://www.axigen.com/updates/axigen-10.3.3.61 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-49101
https://notcve.org/view.php?id=CVE-2023-49101
WebAdmin in Axigen 10.3.x before 10.3.3.61, 10.4.x before 10.4.24, and 10.5.x before 10.5.10 allows XSS attacks against admins because of mishandling of viewing the usage of SSL certificates. WebAdmin en Axigen 10.3.x anterior a 10.3.3.61, 10.4.x anterior a 10.4.24 y 10.5.x anterior a 10.5.10 permite ataques XSS contra administradores debido al mal manejo de la visualización del uso de certificados SSL. • https://www.axigen.com/kb/show/400 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-40355
https://notcve.org/view.php?id=CVE-2023-40355
Cross Site Scripting (XSS) vulnerability in Axigen versions 10.3.3.0 before 10.3.3.59, 10.4.0 before 10.4.19, and 10.5.0 before 10.5.5, allows authenticated attackers to execute arbitrary code and obtain sensitive information via the logic for switching between the Standard and Ajax versions. Vulnerabilidad de Cross Site Scripting (XSS) en las versiones de Axigen 10.3.3.0 anteriores a 10.3.3.59, 10.4.0 anteriores a 10.4.19 y 10.5.0 anteriores a 10.5.5, permite a atacantes autenticados ejecutar código arbitrario y obtener información confidencial a través de la lógica de cambiar entre las versiones Standard y Ajax. • https://www.axigen.com/knowledgebase/Axigen-WebMail-XSS-Vulnerability-CVE-2023-40355-_396.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23566
https://notcve.org/view.php?id=CVE-2023-23566
A 2-Step Verification problem in Axigen 10.3.3.52 allows an attacker to access a mailbox by bypassing 2-Step Verification when they try to add an account to any third-party webmail service (or add an account to Outlook or Gmail, etc.) with IMAP or POP3 without any verification code. Un problema de verificación en dos pasos en Axigen 10.3.3.52 permite a un atacante acceder a un buzón omitiendo la verificación en dos pasos cuando intenta agregar una cuenta a cualquier servicio de correo web de terceros (o agregar una cuenta a Outlook o Gmail, etc. ) con IMAP o POP3 sin ningún código de verificación. • https://github.com/umz-cert/vulnerabilities/issues/1 https://github.com/umz-cert/vulnerabilitys/blob/patch-1/Axigen%20Mail%20Server%2010.3.3.52%202-Step%20verification https://www.axigen.com/documentation/2-step-verification-two-factor-authentication-for-webmail-p69140479 https://www.axigen.com/mail-server/download •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2022-31470 – Axigen < 10.3.3.47_ 10.2.3.12 - Reflected XSS
https://notcve.org/view.php?id=CVE-2022-31470
An XSS vulnerability in the index_mobile_changepass.hsp reset-password section of Axigen Mobile WebMail before 10.2.3.12 and 10.3.x before 10.3.3.47 allows attackers to run arbitrary Javascript code that, using an active end-user session (for a logged-in user), can access and retrieve mailbox content. Una vulnerabilidad de tipo XSS en la sección index_mobile_changepass.hsp reset-password de Axigen Mobile WebMail versiones anteriores a 10.2.3.12 y 10.3.x anteriores a 10.3.3.47 permite a atacantes ejecutar código Javascript arbitrario que, usando una sesión de usuario final activa (para un usuario conectado), puede acceder y recuperar el contenido del buzón Axigen versions 10.5.0–4370c946 and below suffer from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/51722 http://packetstormsecurity.com/files/174551/Axigen-10.5.0-4370c946-Cross-Site-Scripting.html https://axigen.com https://www.axigen.com/knowledgebase/Axigen-Mobile-WebMail-XSS-Vulnerability-CVE-2022-31470-_390.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •