MailEnable Reflected Cross-Site Scripting Vulnerability in AddressBook.aspx

A reflected cross-site scripting vulnerability has been identified in MailEnable versions prior to 10.54. The issue resides in the AddressesTo parameter of the AddressBook.aspx page. The vulnerability arises because the AddressesTo value is not adequately sanitized when processed through a GET request, allowing attacker-controlled scripts to be injected and executed in the context of the user's browser. This exploitation occurs when the victim attempts to send an email, potentially leading to the execution of arbitrary JavaScript, redirection to malicious sites, theft of non-HttpOnly cookies, injection of arbitrary HTML or CSS, and actions performed as the authenticated user.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute scripts in the context of the user's browser.