Reflected Cross-Site Scripting Vulnerability in MailEnable by MailEnable
CVE-2025-34406

5.3MEDIUM

Key Information:

Vendor

Mailenable

Status
Mailenable
Vendor
CVE Published:
9 December 2025

What is CVE-2025-34406?

MailEnable versions prior to 10.54 are susceptible to a reflected cross-site scripting (XSS) vulnerability stemming from the improper sanitization of the Id parameter in the /Mobile/ContactDetails.aspx page. When crafted payloads are sent via GET requests, the response reflects unfiltered data within a block, allowing attackers to execute arbitrary JavaScript in the context of the victim's browser. This exploitation can lead to various malicious activities including the redirection to harmful sites, theft of session cookies, and injection of unwarranted HTML or CSS, ultimately compromising the integrity of the authenticated user's session.

Affected Version(s)

MailEnable 0 < 10.54

References

https://mailenable.com/Standard-ReleaseNotes.txt
release-notespatch
https://www.mailenable.com/
product
https://www.vulncheck.com/advisories/mailenable-reflected...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MushroomSecTeam (Spotify, AmirSUN, M30Brad, Hannah Green, av01t3x, PG)
JSON
.