CVEID: CVE-2015-5379 SUBJECT: Axigen XSS vulnerability for html attachments DESCRIPTION: Axigen's WebMail Ajax interface implements a view attachment function that executes javascript code that is part of email HTML attachments. This allows a malicious user to craft email messages that could expose an Axigen WebMail Ajax user to cross site scripting or other attacks that rely on arbitrary javascript code running within a trusted domain. Axigen versions starting with 9.0 address this issue by limiting the attachment types that are loaded in the browser. For earlier Axigen versions patches are available on the Axigen support channel. Affected Products and Versions: Axigen Mail Server [1] 8.x versions Vendor Internal ID: AXI-CVE-20150601 Vendor security advisory : [2] Reported by: An anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure program [3] [1] https://www.axigen.com [2] https://www.axigen.com/knowledgebase/Ajax-WebMail-8-x-security-patch-CVE-2015-5379-_341.html [3] http://www.beyondsecurity.com/ssd.html