Reflected Cross-Site Scripting Vulnerability in MailEnable by MailEnable
CVE-2025-34425

5.3MEDIUM

Key Information:

Vendor

Mailenable

Status
Mailenable
Vendor
CVE Published:
9 December 2025

What is CVE-2025-34425?

MailEnable versions before 10.54 are susceptible to a reflected cross-site scripting (XSS) vulnerability due to improper sanitization of the WindowContext parameter in the /Mondo/lang/sys/Forms/MAI/compose.aspx endpoint. The vulnerability allows attackers to exploit crafted GET requests, injecting malicious JavaScript into the victim's browser via the window.location context. This can lead to unauthorized actions, including redirecting users to harmful sites and potentially stealing session cookies or other sensitive information. Users are advised to upgrade to protected versions to mitigate these risks.

Affected Version(s)

MailEnable 0 < 10.54

References

https://mailenable.com/Standard-ReleaseNotes.txt
release-notespatch
https://www.mailenable.com/
product
https://www.vulncheck.com/advisories/mailenable-reflected...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

MushroomSecTeam (Spotify, AmirSUN, M30Brad, Hannah Green, av01t3x, PG)
JSON
.
CVE-2025-34425 : Reflected Cross-Site Scripting Vulnerability in MailEnable by MailEnable