SSD Advisory – Axigen HTML Attachments Cross Site Scripting
SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Axigen is a Linux mail server, calendaring and collaboration 100% private, highly available and scalable messaging solution.
The attack is done by creating an HTML file with a simple script for example:
<script> alert (1) </ script> <- this script works in all browsers.
You can generate it with notepad, in fact you can also add a blank and a false extension to make it more “attractive”
Save the file, send it with a mail service such as, Google mail:
And the result is this, open the attachment and it will run the XSS:
A single CVE entry has been assigned to this vulnerability: CVE-2015-5379
The vendor response was exceptionally good, their response time and issuing of the patch has taken them less than 1 month:
Axigen versions starting with 9.0 address this issue by limiting the attachment types that are loaded in the browser. For earlier Axigen versions patches are available on the Axigen support
Affected Products and Versions: Axigen Mail Server 8.x versions
Vendor Internal ID: AXI-CVE-20150601
Vendor security advisory : Ajax WebMail 8.x security patch (CVE-2015-5379)