CVE-2025-68643
Unknown Unknown - Not Provided
Stored XSS in Axigen Mail Server timeFormat Preference

Publication date: 2026-02-05

Last updated on: 2026-02-11

Assigner: MITRE

Description
Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by exploiting a separate vulnerability or using compromised credentials. In the second stage, when the victim logs into the WebMail interface, the unsanitized timeFormat value is loaded from storage and inserted into the DOM, causing the injected script to execute.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-11
Generated
2026-05-06
AI Q&A
2026-02-05
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68643
EUVD
EUVD-2025-206860
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
axigen axigen_mail_server From 10.3.0 (inc) to 10.5.57 (exc)
axigen axigen_mail_server From 10.6.0 (inc) to 10.6.26 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2025-68643 is a stored Cross-Site Scripting (XSS) vulnerability in Axigen WebMail versions before 10.5.57. It occurs because the timeFormat account preference parameter is not properly sanitized when loaded from storage.'}, {'type': 'paragraph', 'content': "An attacker can exploit this vulnerability through a multi-stage attack. First, the attacker injects malicious JavaScript into the victim's timeFormat preference by exploiting another vulnerability or using compromised credentials. Then, when the victim logs into the WebMail interface, the malicious script is executed because the unsanitized timeFormat value is inserted into the webpage's DOM."}] [1]


How can this vulnerability impact me? :

[{'type': 'paragraph', 'content': "This vulnerability can have serious impacts including the execution of arbitrary JavaScript in the victim's browser. The attacker can redirect resource loading to attacker-controlled servers, display fake login forms, steal user credentials, hijack sessions, and exfiltrate sensitive data."}] [1]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves checking if the Axigen WebMail server is running a vulnerable version (10.3.x, 10.4.x, 10.5.x up to 10.5.56, or 10.6.x up to 10.6.25) and verifying if the timeFormat account preference parameter has been tampered with to include malicious JavaScript payloads.

Since exploitation requires modification of the timeFormat preference, inspecting user account preferences for suspicious or unexpected JavaScript code in the timeFormat parameter can help detect compromise.

No specific commands are provided in the available resources for detection.


What immediate steps should I take to mitigate this vulnerability?

The recommended immediate mitigation is to update Axigen WebMail to fixed versions 10.5.57 or later, or 10.6.26 or later.

Additionally, reviewing and securing user credentials to prevent unauthorized modification of the timeFormat preference is important.

Monitoring and restricting access to the WebMail interface to trusted users can also reduce risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart