Headline
CVE-2023-23566: Axigen Mail server 10.3.3.52 Two-Step verification · Issue #1 · umz-cert/vulnerabilities
A 2-Step Verification problem in Axigen 10.3.3.52 allows an attacker to access a mailbox by bypassing 2-Step Verification when they try to add an account to any third-party webmail service (or add an account to Outlook or Gmail, etc.) with IMAP or POP3 without any verification code.
Hi everyone.
[Suggested description]
A 2-Step Verification problem in Axigen mail server 10.3.3.52 let the attacker access to mailbox
by bypassing 2-Step Verification when he try add the account to any third-party web mail or add
this account to Outlook, Gmail application or etc. with IMAP or POP3 without any verification code.
this 2-Step Verification method is only works via Axigen Webmail.[Vulnerability Type]
Incorrect Access Control[Vendor of Product]
Axigen[Affected Product Code Base]
Axigen Mail Server 10.3.3.52[Affected Component]
2-Step verification[Attack Type]
Remote[Impact Escalation of Privileges]
true[Impact Information Disclosure]
true[CVE Impact Other]
[Attack Vectors]
To bypass an accounts 2-step verification, you can add it in Outlook or
Gmail application via IMAP or POP3 without any verification code.[Reference]
https://www.axigen.com/mail-server/download/
https://www.axigen.com/documentation/2-step-verification-two-factor-authentication-for-webmail-p69140479[Timelines]
- Report to Axigen on Jan, 2023
[Discoverer]
Soheil Samanabadi , UMZ-CERT
linkedin.com/in/soheil-samanabadi/
[email protected]