Axigen XSS vulnerability for html attachments

2015.07.22
Credit: SecuriTeam
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2015-5379
CWE: CWE-79


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

CVEID: CVE-2015-5379 SUBJECT: Axigen XSS vulnerability for html attachments DESCRIPTION: Axigen's WebMail Ajax interface implements a view attachment function that executes javascript code that is part of email HTML attachments. This allows a malicious user to craft email messages that could expose an Axigen WebMail Ajax user to cross site scripting or other attacks that rely on arbitrary javascript code running within a trusted domain. Axigen versions starting with 9.0 address this issue by limiting the attachment types that are loaded in the browser. For earlier Axigen versions patches are available on the Axigen support channel. Affected Products and Versions: Axigen Mail Server [1] 8.x versions Vendor Internal ID: AXI-CVE-20150601 Vendor security advisory : [2] Reported by: An anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure program [3] [1] https://www.axigen.com [2] https://www.axigen.com/knowledgebase/Ajax-WebMail-8-x-security-patch-CVE-2015-5379-_341.html [3] http://www.beyondsecurity.com/ssd.html

References:

https://www.axigen.com/knowledgebase/Ajax-WebMail-8-x-security-patch-CVE-2015-5379-_341.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top