CVEID: CVE-2015-5379
SUBJECT: Axigen XSS vulnerability for html attachments
DESCRIPTION: Axigen's WebMail Ajax interface implements a view
attachment function that executes javascript code that is part of email
HTML attachments.
This allows a malicious user to craft email messages that could expose
an Axigen WebMail Ajax user to cross site scripting or other attacks
that rely on arbitrary javascript code running within a trusted domain.
Axigen versions starting with 9.0 address this issue by limiting the
attachment types that are loaded in the browser.
For earlier Axigen versions patches are available on the Axigen support
channel.
Affected Products and Versions: Axigen Mail Server [1] 8.x versions
Vendor Internal ID: AXI-CVE-20150601
Vendor security advisory : [2]
Reported by: An anonymous researcher working with Beyond Security's
SecuriTeam Secure Disclosure program [3]
[1] https://www.axigen.com
[2]
https://www.axigen.com/knowledgebase/Ajax-WebMail-8-x-security-patch-CVE-2015-5379-_341.html
[3] http://www.beyondsecurity.com/ssd.html