Axigen Mail Server Stored Cross-Site Scripting Vulnerability in WebMail Interface

A stored cross-site scripting vulnerability has been identified in Axigen Mail Server versions 10.3.x, 10.4.x, and 10.5.x prior to 10.5.57, as well as in Axigen 10.6.x up to 10.6.25. The issue arises in the WebMail interface, specifically within the timeFormat account preference parameter, which is not properly sanitized. This vulnerability allows attackers to inject malicious JavaScript that is executed when the victim accesses their account via WebMail. The exploitation involves a multi-stage attack, where the attacker first modifies the timeFormat preference to include a harmful payload, and then, when the victim logs in, the injected script is executed, potentially leading to credential theft, session hijacking, and data exfiltration.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user's session.

Remediation

Users can update to Axigen versions 10.6.27 or 10.5.57 to address this vulnerability.