Axigen XSS Vulnerability Allows Arbitrary Code Execution and Sensitive Information Theft
CVE-2023-40355

5.4MEDIUM

Key Information:

Vendor: Axigen
Status: Axigen Mobile Webmail
Vendor: CVE Published:; 7 February 2024

What is CVE-2023-40355?

A Cross Site Scripting (XSS) vulnerability has been identified in specific versions of Axigen Mail Server, allowing authenticated attackers to manipulate web applications by injecting malicious scripts. This flaw arises from the logic for switching between the Standard and Ajax versions of the user interface, which can be exploited to execute arbitrary code. Upon successful exploitation, attackers may gain unauthorized access to sensitive information, potentially compromising user accounts and other critical data. It is crucial for users of affected Axigen versions to apply available patches or upgrades to mitigate the risks associated with this vulnerability.

References

https://www.axigen.com/knowledgebase/Axigen-WebMail-XSS-V...

EPSS Score

22% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 7, 2024
Vulnerability Reserved
Aug 14, 2023