MailEnable Reflected Cross-Site Scripting Vulnerability in Webmail Compose Feature

A reflected cross-site scripting vulnerability has been identified in MailEnable versions prior to 10.54. The issue resides in the Message parameter of the /Mobile/Compose.aspx page, where input is not properly sanitized before being reflected into a JavaScript context via a GET request. This vulnerability allows remote attackers to execute arbitrary JavaScript in the context of the victim's browser by crafting a reply URL that injects malicious scripts. Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of the user, such as stealing non-HttpOnly cookies, injecting harmful HTML or CSS, or redirecting the user to malicious websites.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the context of the user's browser.