CVE-2025-34409 in MailEnableالمعلومات

الملخص

بحسب MITRE • 09/12/2025

MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Failed parameter of /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx. The Failed value is not properly sanitized when processed via a GET request and is reflected in the response, allowing an attacker to break out of existing markup and inject arbitrary script. A remote attacker can supply a crafted payload that closes an existing HTML list element, inserts attacker-controlled JavaScript, and comments out remaining code, leading to script execution in a victim’s browser when the victim visits a malicious link. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

VulnCheck

حجز

15/04/2025

إفشاء

09/12/2025

الاعتدال

تمت الموافقة

إدخال

VDB-335492

EPSS

0.00014

KEV

لا

النشاطات

منخفض جدًا

القطاع

Industry, Hospital, ...

المصادر

MITREhttps://www.cve.org/CVERecord?id=CVE-2025-34409
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2025-34409
CVE Detailshttps://www.cvedetails.com/cve/CVE-2025-34409/

التالي نظرة عامة السابق

Interested in the pricing of exploits?

See the underground prices here!