cbcvebase.
CVE-2023-48974
published 2024-02-08

CVE-2023-48974: Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to escalate privileges via a crafted script to the…

PriorityP258critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EXPLOIT
EPSS
2.96%
85.5th percentile
Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to escalate privileges via a crafted script to the serverName_input parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
axigenaxigen_mail_server<= 10.5.7

Detection & IOCsextracted from sources · hover to see the quote

url/?_h=1bb40e85937506a7186a125bd8c5d7ef&page=gl_set
cookieWMSessionObject=%7B%22accountFilter%22%3A%22%22%2C%22currentDomainName%22%3A%22axigen%22%2C%22currentPrincipal%22%3A%22nada%22%2C%22domainFilter%22%3A%22%22%2C%22folderRecipientFilter%22%3A%22%22%2C%22groupFilter%22%3A%22%22%2C%22helpContainer%22%3A%22opened%22%2C%22leftMenu%22%3A%5B%22rights%22%2C%22services%22%2C%22clustering%22%2C%22domains%22%2C%22logging%22%2C%22backup%22%2C%22security%22%5D%2C%22mlistFilter%22%3A%22%22%2C%22premiumFilter%22%3A%22%22%2C%22sslCertificateFilter%22%3A%22%22%7D
port9443
commandserverName_input=alert(1)
  • Monitor POST requests to the Axigen WebAdmin interface targeting the `page=gl_set` endpoint with a crafted `serverName_input` multipart form-data field containing script payloads.
  • Inspect multipart/form-data POST bodies for script injection content (e.g., alert(), <script> tags) in the `serverName_input` parameter directed at the Axigen WebAdmin port (default 9443).
  • The exploit uses a multipart boundary `---------------------------41639384187581032291088896642`; anomalous or static multipart boundaries in requests to Axigen WebAdmin may indicate automated exploit tooling.
  • Presence of the `_hadmin` session cookie alongside a POST to `page=gl_set` with script content in `serverName_input` is a strong indicator of exploitation attempt.
  • ·The `_h` parameter value in the exploit URL (`1bb40e85937506a7186a125bd8c5d7ef`) is likely a session-specific token and will vary per authenticated session; do not rely on this exact value as a static IOC.
  • ·The vulnerability affects Axigen WebMail versions prior to 10.3.3.61 only; patched instances running 10.3.3.61 or later are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.