CVE-2024-50601 is a cross-site scripting (XSS) vulnerability identified in Axigen Mail Server versions up to 10.5.28. The flaw exists in two vectors: the themeMode cookie and the _h URL parameter. Both allow injection of malicious JavaScript code that is either reflected immediately or stored persistently, leading to execution in the context of the user's browser session. This vulnerability stems from improper sanitization of user-supplied input, classified under CWE-79. Exploiting this vulnerability does not require authentication but does require user interaction, such as clicking a crafted link or visiting a malicious page. Successful exploitation can result in session hijacking, allowing attackers to impersonate legitimate users, data leakage from the victim's session, and potentially facilitate further attacks by chaining with other vulnerabilities. The vulnerability affects multiple versions of Axigen Mail Server, a widely used mail server solution, and was officially published on November 11, 2024. The vendor has released patches in versions 10.3.3.67, 10.4.42, and 10.5.29 to address these issues. The CVSS v3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported to date, but the vulnerability's nature makes it a candidate for phishing or targeted attacks.

The primary impact of CVE-2024-50601 is the compromise of user sessions and confidentiality within organizations using vulnerable Axigen Mail Server versions. Attackers can hijack sessions, leading to unauthorized access to sensitive email communications and potentially internal systems if session tokens are reused or provide access to other resources. Data leakage risks include exposure of sensitive emails or credentials stored or accessible via the mail server interface. The vulnerability also opens the door for multi-stage attacks, where initial XSS exploitation can be leveraged to deploy malware, conduct phishing, or escalate privileges. Organizations relying on Axigen Mail Server for critical email infrastructure face risks of operational disruption and reputational damage if exploited. Since exploitation requires user interaction, phishing campaigns or social engineering could be used to trigger the vulnerability. The medium severity indicates a moderate but non-trivial risk, especially in environments with high-value targets or lax user security awareness.

Organizations should immediately verify their Axigen Mail Server version and upgrade to the patched releases 10.3.3.67, 10.4.42, or 10.5.29 as applicable. In addition to patching, administrators should implement strict input validation and output encoding on all user-controllable fields, especially cookies and URL parameters, to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the mail server. Educate users about the risks of clicking unknown links or opening suspicious emails to reduce the likelihood of user interaction exploitation. Monitor web server logs for unusual requests targeting the themeMode cookie or _h parameter and consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads. Regularly audit and test the mail server environment for similar vulnerabilities and maintain an incident response plan to quickly address any exploitation attempts. Finally, review session management practices to limit session lifetime and scope to reduce the impact of session hijacking.