Volerion logoVolerion
Volerion logoVolerion

MailEnable Reflected Cross-Site Scripting Vulnerability in Address Book Component

Vulnerability

A reflected cross-site scripting vulnerability has been identified in MailEnable versions prior to 10.54. The issue resides in the AddressesBcc parameter of the AddressBook.aspx page. The vulnerability arises because the AddressesBcc value is not adequately sanitized when processed through a GET request, allowing attacker-controlled scripts to be injected and executed in the context of the user's browser. This exploitation occurs when the victim attempts to send an email, potentially leading to the theft of non-HttpOnly cookies, execution of actions on behalf of the authenticated user, and redirection to malicious websites.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser, with the potential to steal non-HttpOnly cookies, perform actions as the authenticated user, and redirect the victim to malicious sites.

Remediation

Users can update to MailEnable version 10.54 or later to address this vulnerability.

Added: Dec 9, 2025, 11:05 PM
Updated: Dec 9, 2025, 11:05 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
1.7
exploitability
6.5
remediation
7.7
relevance
1.4
threat
0.0
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.