CVE-2024-25080
Description
WebMail in Axigen 10.x before 10.3.3.62 allows XSS via the image attachment viewer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in Axigen WebMail's image attachment viewer allows attackers to execute arbitrary JavaScript in a logged-in user's session.
Vulnerability
CVE-2024-25080 is a cross-site scripting (XSS) vulnerability in Axigen WebMail's image attachment viewer, affecting Axigen 10.x versions prior to 10.3.3.62. The root cause is improper sanitization of user-supplied input within the image viewer component, allowing attackers to inject arbitrary HTML and JavaScript code into WebMail pages [2].
Exploitation
To exploit this vulnerability, an attacker must first have an existing valid end-user session in Axigen WebMail. The attacker sends the victim an email containing a crafted link; when the victim clicks the link, the attacker's injected code executes within the context of the WebMail session [2].
Impact
Successful exploitation enables the attacker to perform actions on behalf of the logged-in user, such as exfiltrating email data, stealing credentials via fake authentication dialogs, or conducting phishing attacks under the WebMail domain [2].
Mitigation
Axigen has addressed this vulnerability in version 10.3.3.62. Users are advised to upgrade immediately. Axigen X4 (10.4.x) and X5 (10.5.x) are not affected [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <10.3.3.62
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.