CVE-2023-39598
published 2023-09-05CVE-2023-39598: Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the…
PriorityP335medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
1.39%
68.9th percentile
Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the mid parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| icewarp | webclient | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/webmail/?mid={{to_lower(rand_base(4))}}"><script>alert(1)</script>
path/webmail/
othermid parameter XSS payload injection point
yara
Nuclei template id: CVE-2023-39598; method: GET; path: /webmail/?mid=<rand_base(4)>">; matchers: word=["<script>alert(1)</script>","icewarp"], header=["text/html"], status=200
- →Detect reflected XSS probe against IceWarp WebClient by monitoring GET requests to /webmail/ where the 'mid' parameter contains a closing double-quote followed by a '>' character (e.g., mid=<value>">), which is the canonical injection pattern for this CVE.
- →Confirm exploitation by checking that the HTTP response body contains both the injected script tag (e.g., <script>alert(1)</script>) and the string 'icewarp', with a Content-Type header of 'text/html' and HTTP status 200.
- →Use Shodan/FOFA/Google dorks to identify exposed IceWarp WebClient instances as potential targets: Shodan queries 'title:"icewarp"' or 'http.title:"icewarp"', FOFA query 'title="icewarp"', Google query 'intitle:"icewarp"'.
- ·The vulnerability is confirmed to affect IceWarp WebClient version 10.2.1 specifically; other versions are not confirmed vulnerable by the available sources. ↗
- ·This is a reflected (non-persistent) XSS requiring user interaction (UI:R in CVSS), meaning exploitation requires the victim to click a crafted link; it is not a stored or DOM-based XSS.
- ·The EPSS score of 0.56383 (98.121st percentile) indicates a very high probability of exploitation in the wild; prioritize detection and patching accordingly.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
IceWarp Email Client - Cross Site Scripting
nuclei·CVSS 6.1
CVE-2023-39598 [MEDIUM] IceWarp Email Client - Cross Site Scripting
IceWarp Email Client - Cross Site Scripting
Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the mid parameter.
Template:
id: CVE-2023-39598
info:
name: IceWarp Email Client - Cross Site Scripting
author: Imjust0
severity: medium
description: |
Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the mid parameter.
remediation: |
Apply the latest security patches and updates from the vendor to address this vulnerability.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially le
No writeups or analysis indexed.
2023-09-05
Published