Axigen's WebMail Ajax interface implements a view attachment function that executes javascript code that is part of email HTML attachments. This allows a malicious user to craft email messages that could expose an Axigen WebMail Ajax user to cross site scripting or other attacks that rely on arbitrary javascript code running within a trusted domain.
788c7286734125b3725075a14d57b317c04a5fe4c16dd6e4f81e548ed40b5fc8CVEID: CVE-2015-5379
SUBJECT: Axigen XSS vulnerability for html attachments
DESCRIPTION: Axigen's WebMail Ajax interface implements a view
attachment function that executes javascript code that is part of email
HTML attachments.
This allows a malicious user to craft email messages that could expose
an Axigen WebMail Ajax user to cross site scripting or other attacks
that rely on arbitrary javascript code running within a trusted domain.
Axigen versions starting with 9.0 address this issue by limiting the
attachment types that are loaded in the browser.
For earlier Axigen versions patches are available on the Axigen support
channel.
Affected Products and Versions: Axigen Mail Server [1] 8.x versions
Vendor Internal ID: AXI-CVE-20150601
Vendor security advisory : [2]
Reported by: An anonymous researcher working with Beyond Security's
SecuriTeam Secure Disclosure program [3]
[1] https://www.axigen.com
[2]
https://www.axigen.com/knowledgebase/Ajax-WebMail-8-x-security-patch-CVE-2015-5379-_341.html
[3] http://www.beyondsecurity.com/ssd.html
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed