Reflected Cross-Site Scripting Vulnerability in MailEnable Email Software
CVE-2025-34398

5.3MEDIUM

Key Information:

Vendor

Mailenable

Status
Mailenable
Vendor
CVE Published:
9 December 2025

What is CVE-2025-34398?

A reflected cross-site scripting vulnerability exists in MailEnable versions prior to 10.54 due to inadequate sanitization of the AddressesBcc parameter in the AddressBook.aspx interface. When processed via a GET request, a crafted payload can manipulate the JavaScript execution context, allowing attackers to embed malicious scripts. This exploitation can result in various attacks, including redirecting users to harmful sites, stealing cookies, and executing unauthorized actions on behalf of authenticated users, compromising user data and security.

Affected Version(s)

MailEnable 0 < 10.54

References

https://mailenable.com/Standard-ReleaseNotes.txt
release-notespatch
https://www.mailenable.com/
product
https://www.vulncheck.com/advisories/mailenable-reflected...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MushroomSecTeam (Spotify, AmirSUN, M30Brad, Hannah Green, av01t3x, PG)
JSON
.
CVE-2025-34398 : Reflected Cross-Site Scripting Vulnerability in MailEnable Email Software