CVE-2023-48974
published 2024-02-08CVE-2023-48974: Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to escalate privileges via a crafted script to the…
PriorityP258critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EXPLOIT
EPSS
2.96%
85.5th percentile
Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to escalate privileges via a crafted script to the serverName_input parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| axigen | axigen_mail_server | <= 10.5.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
cookieWMSessionObject=%7B%22accountFilter%22%3A%22%22%2C%22currentDomainName%22%3A%22axigen%22%2C%22currentPrincipal%22%3A%22nada%22%2C%22domainFilter%22%3A%22%22%2C%22folderRecipientFilter%22%3A%22%22%2C%22groupFilter%22%3A%22%22%2C%22helpContainer%22%3A%22opened%22%2C%22leftMenu%22%3A%5B%22rights%22%2C%22services%22%2C%22clustering%22%2C%22domains%22%2C%22logging%22%2C%22backup%22%2C%22security%22%5D%2C%22mlistFilter%22%3A%22%22%2C%22premiumFilter%22%3A%22%22%2C%22sslCertificateFilter%22%3A%22%22%7D↗
- →Monitor POST requests to the Axigen WebAdmin interface targeting the `page=gl_set` endpoint with a crafted `serverName_input` multipart form-data field containing script payloads. ↗
- →Inspect multipart/form-data POST bodies for script injection content (e.g., alert(), <script> tags) in the `serverName_input` parameter directed at the Axigen WebAdmin port (default 9443). ↗
- →The exploit uses a multipart boundary `---------------------------41639384187581032291088896642`; anomalous or static multipart boundaries in requests to Axigen WebAdmin may indicate automated exploit tooling. ↗
- →Presence of the `_hadmin` session cookie alongside a POST to `page=gl_set` with script content in `serverName_input` is a strong indicator of exploitation attempt. ↗
- ·The `_h` parameter value in the exploit URL (`1bb40e85937506a7186a125bd8c5d7ef`) is likely a session-specific token and will vary per authenticated session; do not rely on this exact value as a static IOC. ↗
- ·The vulnerability affects Axigen WebMail versions prior to 10.3.3.61 only; patched instances running 10.3.3.61 or later are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2024-02-08
Published