Reflected Cross-Site Scripting Vulnerability in MailEnable Software
CVE-2025-34404

5.3MEDIUM

Key Information:

Vendor

Mailenable

Status
Mailenable
Vendor
CVE Published:
9 December 2025

What is CVE-2025-34404?

MailEnable versions prior to 10.54 are susceptible to a reflected cross-site scripting (XSS) vulnerability found in the InstanceScope parameter of the /Mondo/lang/sys/Forms/CAL/compose.aspx endpoint. This vulnerability arises because the InstanceScope value is inadequately sanitized when processed through a GET request, resulting in malicious scripts being reflected back in a JavaScript variable. An attacker can exploit this by crafting a payload that disrupts the PageLoad() function, allowing the execution of arbitrary JavaScript within the victim's browser. This could lead to serious security risks, including the redirection of users to malicious websites, theft of non-HttpOnly cookies, injection of unauthorized HTML or CSS, and potential actions taken as the authenticated user.

Affected Version(s)

MailEnable 0 < 10.54

References

https://mailenable.com/Standard-ReleaseNotes.txt
release-notespatch
https://www.mailenable.com/
product
https://www.vulncheck.com/advisories/mailenable-reflected...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MushroomSecTeam (Spotify, AmirSUN, M30Brad, Hannah Green, av01t3x, PG)
JSON
.