CVE-2025-68643
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2Tags
Description
Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by exploiting a separate vulnerability or using compromised credentials. In the second stage, when the victim logs into the WebMail interface, the unsanitized timeFormat value is loaded from storage and inserted into the DOM, causing the injected script to execute.
Analysis
Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. [CVSS 5.4 MEDIUM]
Technical Context
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Axigen Mail Server. Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by exploiting a separate vulnerability or using compromised credentials. In the second stage, when the victim logs into the WebMail interface, the unsanitized timeFormat value is loaded from storage and in
Affected Products
Vendor: Axigen. Product: Axigen Mail Server. Versions: up to 10.5.57.
Remediation
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today