cbcvebase.
CVE-2023-39598
published 2023-09-05

CVE-2023-39598: Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the…

PriorityP335medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.39%
68.9th percentile
Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the mid parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
icewarpwebclient

Detection & IOCsextracted from sources · hover to see the quote

url/webmail/?mid={{to_lower(rand_base(4))}}"><script>alert(1)</script>
path/webmail/
othermid parameter XSS payload injection point
yara
Nuclei template id: CVE-2023-39598; method: GET; path: /webmail/?mid=<rand_base(4)>">; matchers: word=["<script>alert(1)</script>","icewarp"], header=["text/html"], status=200
  • Detect reflected XSS probe against IceWarp WebClient by monitoring GET requests to /webmail/ where the 'mid' parameter contains a closing double-quote followed by a '>' character (e.g., mid=<value>">), which is the canonical injection pattern for this CVE.
  • Confirm exploitation by checking that the HTTP response body contains both the injected script tag (e.g., <script>alert(1)</script>) and the string 'icewarp', with a Content-Type header of 'text/html' and HTTP status 200.
  • Use Shodan/FOFA/Google dorks to identify exposed IceWarp WebClient instances as potential targets: Shodan queries 'title:"icewarp"' or 'http.title:"icewarp"', FOFA query 'title="icewarp"', Google query 'intitle:"icewarp"'.
  • ·The vulnerability is confirmed to affect IceWarp WebClient version 10.2.1 specifically; other versions are not confirmed vulnerable by the available sources.
  • ·This is a reflected (non-persistent) XSS requiring user interaction (UI:R in CVSS), meaning exploitation requires the victim to click a crafted link; it is not a stored or DOM-based XSS.
  • ·The EPSS score of 0.56383 (98.121st percentile) indicates a very high probability of exploitation in the wild; prioritize detection and patching accordingly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.