Reflected XSS Vulnerability in MailEnable by MailEnable
CVE-2025-34399

5.3MEDIUM

Key Information:

Vendor

Mailenable

Status
Mailenable
Vendor
CVE Published:
9 December 2025

What is CVE-2025-34399?

MailEnable versions prior to 10.54 are vulnerable to a reflected cross-site scripting (XSS) issue in the AddressesCc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The flaw arises because the AddressesCc value is not adequately sanitized when processed via a GET request. This oversight allows an attacker to inject malicious JavaScript through a crafted payload that disrupts the LoadCurAddresses() function, enabling remote code execution in the context of the victim’s browser during email sending operations. Through successful exploitation, attackers can redirect users to harmful websites, steal sensitive non-HttpOnly cookies, inject malicious HTML or CSS, and impersonate the authenticated user, posing a significant security risk to users.

Affected Version(s)

MailEnable 0 < 10.54

References

https://mailenable.com/Standard-ReleaseNotes.txt
release-notespatch
https://www.mailenable.com/
product
https://www.vulncheck.com/advisories/mailenable-reflected...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MushroomSecTeam (Spotify, AmirSUN, M30Brad, Hannah Green, av01t3x, PG)
JSON
.
CVE-2025-34399 : Reflected XSS Vulnerability in MailEnable by MailEnable