Axigen XSS vulnerability for html attachments

2015.07.22
Credit: SecuriTeam
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


Ogólna skala CVSS: 3.5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 6.8/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Jednorazowa
Wpływ na poufność: Brak
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

CVEID: CVE-2015-5379 SUBJECT: Axigen XSS vulnerability for html attachments DESCRIPTION: Axigen's WebMail Ajax interface implements a view attachment function that executes javascript code that is part of email HTML attachments. This allows a malicious user to craft email messages that could expose an Axigen WebMail Ajax user to cross site scripting or other attacks that rely on arbitrary javascript code running within a trusted domain. Axigen versions starting with 9.0 address this issue by limiting the attachment types that are loaded in the browser. For earlier Axigen versions patches are available on the Axigen support channel. Affected Products and Versions: Axigen Mail Server [1] 8.x versions Vendor Internal ID: AXI-CVE-20150601 Vendor security advisory : [2] Reported by: An anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure program [3] [1] https://www.axigen.com [2] https://www.axigen.com/knowledgebase/Ajax-WebMail-8-x-security-patch-CVE-2015-5379-_341.html [3] http://www.beyondsecurity.com/ssd.html

Referencje:

https://www.axigen.com/knowledgebase/Ajax-WebMail-8-x-security-patch-CVE-2015-5379-_341.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top