CVE-2024-50601
MEDIUMAxigen Mail Server <= 10.5.28 - Stored and Reflected Cross-Site Scripting via ThemeMode Cookie and _h URL Parameter
Title source: llmDescription
Persistent and reflected XSS vulnerabilities in the themeMode cookie and _h URL parameter of Axigen Mail Server up to version 10.5.28 allow attackers to execute arbitrary Javascript. Exploitation could lead to session hijacking, data leakage, and further exploitation via a multi-stage attack. Fixed in versions 10.3.3.67, 10.4.42, and 10.5.29.
References (1)
Core 1
Core References
Scores
CVSS v3
6.1
EPSS
0.0024
EPSS Percentile
14.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Published
Nov 11, 2024
Tracked Since
Feb 18, 2026