CVE-2023-48974

CRITICAL

Axigen Mail Server < 10.5.7 - Cross-Site Scripting via serverName_input Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-48974. PoCs published by Vincent McRae_ Mesut Cetin, vinnie1717.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Axigen WebMail versions prior to 10.5.7. The `serverName_input` parameter is vulnerable to injection of malicious JavaScript, which executes when other administrators view the affected page.

Description

Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to escalate privileges via a crafted script to the serverName_input parameter.

Exploits (2)

exploitdb WORKING POC

by Vincent McRae_ Mesut Cetin · textwebappsphp

https://www.exploit-db.com/exploits/51963

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Axigen WebMail versions prior to 10.5.7. The `serverName_input` parameter is vulnerable to injection of malicious JavaScript, which executes when other administrators view the affected page.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Axigen WebMail < 10.5.7

Auth required

Prerequisites: Administrator access to Axigen WebMail · Valid session cookies

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec NO CODE

by vinnie1717 · poc

https://github.com/vinnie1717/CVE-2023-48974

View Code ZIP pw:eip

References (2)

Core 2

Core References

Product

https://www.axigen.com/mail-server/download/

Release Notes

https://www.axigen.com/updates/axigen-10.3.3.61

Scores

CVSS v3 9.6

EPSS 0.0658

EPSS Percentile 91.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

axigen/axigen_mail_server < 10.5.7

Published Feb 08, 2024

Tracked Since Feb 18, 2026