--------------------------------------------------------------------------- MailEnable <= 10.54 Multiple Reflected Cross-Site Scripting Vulnerabilities ---------------------------------------------------------------------------
[-] Software Link: https://www.mailenable.com [-] Affected Versions: Version 10.54 and prior versions. [-] Vulnerabilities Description: 1) Vulnerable code in ManageShares.aspx User input passed through the "SelectedIndex" GET parameter to the /Mondo/lang/sys/Forms/ManageShares.aspx page is not properly sanitized before being used to generate JavaScript code, allowing an attacker to break out of the existing function and inject arbitrary JavaScript. This can be exploited by attackers to perform Reflected Cross-Site Scripting (XSS) attacks. Proof of Concept: https://[MailEnable_WebMail]/Mondo/lang/sys/Forms/ManageShares.aspx?SelectedIndex=%27;}alert(%27XSS%27);function%20x(){return%27 An attacker can use a crafted link like the one above to trick a victim user into issuing a request containing a malicious payload. The application reflects unsanitized input into JavaScript code, enabling execution of arbitrary script in the victim's browser. 2) Vulnerable code in FreeBusy.aspx User input passed through the "Attendees" GET parameter to the /Mondo/lang/sys/Forms/CAL/FreeBusy.aspx page is not properly sanitized before being used to generate JavaScript code, allowing an attacker to break out of the existing function and inject arbitrary JavaScript. This can be exploited by attackers to perform Reflected Cross-Site Scripting (XSS) attacks. Proof of Concept: https://[MailEnable_WebMail]/Mondo/lang/sys/Forms/CAL/FreeBusy.aspx?Attendees=%27);}alert(%27XSS%27);function%20x(){return%20x(%27 An attacker can use a crafted link like the one above to trick a victim user into issuing a request containing a malicious payload. The application reflects unsanitized input into JavaScript code, enabling execution of arbitrary script in the victim's browser. 3) Vulnerable code in FreeBusy.aspx User input passed through the "StartDate" GET parameter to the /Mondo/lang/sys/Forms/CAL/FreeBusy.aspx page is not properly sanitized before being used to generate JavaScript code, allowing an attacker to break out of the existing function and inject arbitrary JavaScript. This can be exploited by attackers to perform Reflected Cross-Site Scripting (XSS) attacks. Proof of Concept: https://[MailEnable_WebMail]/Mondo/lang/sys/Forms/CAL/FreeBusy.aspx?StartDate=%27);}alert(%27XSS%27);function%20x(){return%20x(%27 An attacker can use a crafted link like the one above to trick a victim user into issuing a request containing a malicious payload. The application reflects unsanitized input into JavaScript code, enabling execution of arbitrary script in the victim's browser. [-] Solution: Upgrade to version 10.55 or later. [-] Disclosure Timeline: [24/02/2026] - Vendor notified [02/03/2026] - Vendor released version 10.55, including fixes for these vulnerabilities [02/03/2026] - CVE identifier requested [23/03/2026] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.org) has not assigned a CVE identifier for these vulnerabilities. [-] Credits: Vulnerabilities discovered by Egidio Romano. [-] Other References: https://www.mailenable.com/rss/article.asp?Source=RSSADMIN&ID=MAILENABLEVERSION1055 [-] Original Advisory: https://karmainsecurity.com/KIS-2026-05 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
