CVE-2023-40355

MEDIUM NUCLEI

Axigen Mobile Webmail 10.3.3.0-10.3.3.58, 10.4.0-10.4.18, 10.5.0-10.5.4 - Authenticated XSS via Version Switch

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-40355. PoCs published by ace-83. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a Python script that checks for the presence of a reflected XSS vulnerability (CVE-2023-40355) in Axigen webmail by sending a crafted request and checking if the payload is reflected in the response. It does not exploit the vulnerability beyond detection.

Description

Cross Site Scripting (XSS) vulnerability in Axigen versions 10.3.3.0 before 10.3.3.59, 10.4.0 before 10.4.19, and 10.5.0 before 10.5.5, allows authenticated attackers to execute arbitrary code and obtain sensitive information via the logic for switching between the Standard and Ajax versions.

Exploits (1)

nomisec SCANNER

by ace-83 · poc

https://github.com/ace-83/CVE-2023-40355

View Code ZIP pw:eip

The repository contains a Python script that checks for the presence of a reflected XSS vulnerability (CVE-2023-40355) in Axigen webmail by sending a crafted request and checking if the payload is reflected in the response. It does not exploit the vulnerability beyond detection.

Classification

Scanner 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Axigen versions 10.3.3.0 before 10.3.3.59, 10.4.0 before 10.4.19, and 10.5.0 before 10.5.5

Auth required

Prerequisites: A list of target domains in a 'domain.txt' file · Network access to the target domains

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Axigen WebMail - Cross-Site Scripting

MEDIUMVERIFIEDby amir-h-fallahi

Shodan: http.favicon.hash:-1247684400

FOFA: icon_hash=-1247684400

References (1)

Core 1

Core References

Vendor Advisory

https://www.axigen.com/knowledgebase/Axigen-WebMail-XSS-Vulnerability-CVE-2023-40355-_396.html

Scores

CVSS v3 5.4

EPSS 0.0109

EPSS Percentile 61.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

axigen/axigen_mobile_webmail 10.3.3.0 - 10.3.3.59

Published Feb 07, 2024

Tracked Since Feb 18, 2026