Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Axigen Mail server 10.3.3.52 Two-Step verification #1

Open
umz-cert opened this issue Jan 12, 2023 · 0 comments
Open

Axigen Mail server 10.3.3.52 Two-Step verification #1

umz-cert opened this issue Jan 12, 2023 · 0 comments

Comments

@umz-cert
Copy link
Owner

umz-cert commented Jan 12, 2023

Hi everyone.

[Suggested description]
A 2-Step Verification problem in Axigen mail server 10.3.3.52 let the attacker access to mailbox
by bypassing 2-Step Verification when he try add the account to any third-party web mail or add
this account to Outlook, Gmail application or etc. with IMAP or POP3 without any verification code.
this 2-Step Verification method is only works via Axigen Webmail.


[Vulnerability Type]
Incorrect Access Control


[Vendor of Product]
Axigen


[Affected Product Code Base]
Axigen Mail Server 10.3.3.52


[Affected Component]
2-Step verification


[Attack Type]
Remote


[Impact Escalation of Privileges]
true


[Impact Information Disclosure]
true


[CVE Impact Other]


[Attack Vectors]
To bypass an accounts 2-step verification, you can add it in Outlook or
Gmail application via IMAP or POP3 without any verification code.


[Reference]
https://www.axigen.com/mail-server/download/
https://www.axigen.com/documentation/2-step-verification-two-factor-authentication-for-webmail-p69140479


[Timelines]

  1. Report to Axigen on Jan, 2023

[Discoverer]
Soheil Samanabadi ,
linkedin.com/in/soheil-samanabadi/

MAHER ,
https://cert.ir/

Use CVE-2023-23566.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant