CVE-2025-34409 in MailEnableinformación

Resumen

por MITRE • 2025-12-09

MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the Failed parameter of /Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx. The Failed value is not properly sanitized when processed via a GET request and is reflected in the response, allowing an attacker to break out of existing markup and inject arbitrary script. A remote attacker can supply a crafted payload that closes an existing HTML list element, inserts attacker-controlled JavaScript, and comments out remaining code, leading to script execution in a victim’s browser when the victim visits a malicious link. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsable

VulnCheck

Reservar

2025-04-15

Divulgación

2025-12-09

Moderación

aceptado

Artículo

VDB-335492

CPE

listo

EPSS

0.00014

KEV

no

Actividades

muy bajo

Sector

Hospital, Police, ...

Fuentes

MITREhttps://www.cve.org/CVERecord?id=CVE-2025-34409
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2025-34409
CVE Detailshttps://www.cvedetails.com/cve/CVE-2025-34409/

AnteriorVisión De ConjuntoPróximo

Do you know our Splunk app?

Download it now for free!