MailEnable Reflected Cross-Site Scripting Vulnerability in Address Book Web Form

A reflected cross-site scripting vulnerability has been identified in MailEnable versions prior to 10.54. The issue resides in the AddressesCc parameter of the AddressBook.aspx web form. The vulnerability arises because the AddressesCc value is not adequately sanitized when processed through a GET request. This unsanitized input is reflected within a <script> block in the JavaScript variable sAddrCc. An attacker can exploit this by sending a crafted payload that disrupts the existing LoadCurAddresses() function, injects malicious script, and comments out the remaining code. As a result, arbitrary JavaScript can be executed in the context of the victim's browser when they attempt to send an email. Exploitation of this vulnerability could lead to redirection to malicious sites, theft of non-HttpOnly cookies, injection of arbitrary HTML or CSS, and actions performed as the authenticated user.

Impact

Exploitation allows for reflected cross-site scripting, where an attacker can execute JavaScript in the victim's browser, potentially leading to cookie theft, redirection to malicious sites, and actions performed as the user.