MailEnable Reflected Cross-Site Scripting Vulnerability in AddressBook.aspx

A reflected cross-site scripting vulnerability has been identified in MailEnable versions prior to 10.54. The issue resides in the FieldBcc parameter of the AddressBook.aspx page. The vulnerability arises because the FieldBcc value is not adequately sanitized when processed through a GET request. This unsanitized input is reflected within a <script> block in a JavaScript variable, allowing remote attackers to execute arbitrary JavaScript in the context of the victim's browser during email composition. Exploitation of this vulnerability could lead to redirection to malicious sites, theft of non-HttpOnly cookies, injection of arbitrary HTML or CSS, and execution of actions as the authenticated user.

Impact

Exploitation allows for the execution of arbitrary JavaScript in the victim's browser, potentially leading to cookie theft, injection of malicious HTML or CSS, and execution of actions as the authenticated user.

Remediation

Users can update to MailEnable version 10.54 or later to address this vulnerability.