Reflected Cross-Site Scripting Vulnerability in MailEnable
CVE-2025-34408

5.3MEDIUM

Key Information:

Vendor

Mailenable

Status
Mailenable
Vendor
CVE Published:
9 December 2025

What is CVE-2025-34408?

MailEnable versions prior to 10.54 are vulnerable to a reflected cross-site scripting (XSS) flaw. This vulnerability arises from improper sanitization of the Added parameter in the /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx page, allowing an attacker to inject malicious scripts through crafted GET requests. An attacker can exploit this by manipulating the Added value to close existing HTML tags and insert arbitrary JavaScript into a victim's browser when they visit a compromised link. Such exploitation can result in unauthorized access to sensitive information, redirection to malicious sites, theft of cookies, or execution of arbitrary actions on behalf of the authenticated user.

Affected Version(s)

MailEnable 0 < 10.54

References

https://mailenable.com/Standard-ReleaseNotes.txt
release-notespatch
https://www.mailenable.com/
product
https://www.vulncheck.com/advisories/mailenable-reflected...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MushroomSecTeam (Spotify, AmirSUN, M30Brad, Hannah Green, av01t3x, PG)
JSON
.