cbcvebase.
CVE-2022-31470
published 2022-06-07

CVE-2022-31470: An XSS vulnerability in the index_mobile_changepass.hsp reset-password section of Axigen Mobile WebMail before 10.2.3.12 and 10.3.x before 10.3.3.47 allows…

PriorityP355medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
52.09%
98.8th percentile
An XSS vulnerability in the index_mobile_changepass.hsp reset-password section of Axigen Mobile WebMail before 10.2.3.12 and 10.3.x before 10.3.3.47 allows attackers to run arbitrary Javascript code that, using an active end-user session (for a logged-in user), can access and retrieve mailbox content.

Affected

2 ranges
VendorProductVersion rangeFixed in
axigenaxigen_mobile_webmail>= 10.2.2.0 < 10.2.3.1210.2.3.12
axigenaxigen_mobile_webmail>= 10.3.3.0 < 10.3.3.4710.3.3.47

Detection & IOCsextracted from sources · hover to see the quote

url/index_mobile_changepass.hsp
url/index.hsp?m=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
path/index.hsp
cookie_h
yara
id: CVE-2022-31470
info:
  name: Axigen WebMail - Cross-Site Scripting
  author: AmirZargham
  severity: medium
  • Detect XSS probe against Axigen WebMail by looking for the reflected payload 'alert(document.domain)' in HTTP responses to requests targeting /index.hsp with the 'm' parameter.
  • Fingerprint Axigen WebMail instances via Shodan/FOFA using the title 'Axigen' before probing for the vulnerability.
  • Confirm Axigen WebMail presence by checking HTTP response body for the strings 'Axigen WebMail', 'AXI-SCRIPT', 'axigen-web-fonts', or 'AXIWMRememberLogin' before exploitation.
  • Exfiltration of mailbox content is performed by appending a dynamically created script tag whose src points to an out-of-band server with base64-encoded email data as a query parameter.
  • The nuclei template uses a two-step flow: first confirm the Axigen WebMail login page, then send the XSS probe to /index.hsp?m=<script>alert(document.domain)</script> and check for reflection in a text/html 200 response.
  • ·The vulnerability affects Axigen Mobile WebMail before 10.2.3.12 and 10.3.x before 10.3.3.47; the nuclei template also references versions up to 10.5.0-4370c946, suggesting a broader affected range than the original NVD advisory.
  • ·The exploit requires an active authenticated end-user session to access and retrieve mailbox content; unauthenticated exploitation is limited to reflected XSS delivery.
  • ·The exploit code references an external out-of-band (OOB) server variable '${oob_server}' for data exfiltration; defenders should monitor for unusual outbound script-tag src requests from webmail sessions.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.