Reflected Cross-Site Scripting Vulnerability in MailEnable Email Software
CVE-2025-34403

5.3MEDIUM

Key Information:

Vendor

Mailenable

Status
Mailenable
Vendor
CVE Published:
9 December 2025

What is CVE-2025-34403?

A reflected cross-site scripting vulnerability has been identified in MailEnable versions prior to 10.54. This security flaw exists in the FieldTo parameter of the AddressBook.aspx page, where the value is not adequately sanitized before being processed in a GET request. An attacker can exploit this vulnerability by crafting a specific payload that interrupts the Finish() function and injects malicious scripts. When a victim sends an email, the injected script executes in the user's browser, potentially redirecting them to harmful websites, stealing session cookies that are not marked as HttpOnly, or running unauthorized actions under the guise of the authenticated user, thereby endangering sensitive information.

Affected Version(s)

MailEnable 0 < 10.54

References

https://mailenable.com/Standard-ReleaseNotes.txt
release-notespatch
https://www.mailenable.com/
product
https://www.vulncheck.com/advisories/mailenable-reflected...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MushroomSecTeam (Spotify, AmirSUN, M30Brad, Hannah Green, av01t3x, PG)
JSON
.