MailEnable Reflected Cross-Site Scripting Vulnerability in AddressBook.aspx

A reflected cross-site scripting vulnerability has been identified in MailEnable versions prior to 10.54. The issue resides in the FieldCc parameter of the AddressBook.aspx page. The vulnerability arises because the FieldCc value is not adequately sanitized when processed through a GET request. This unsanitized input is reflected within a <script> block in a JavaScript variable, allowing remote attackers to execute arbitrary JavaScript in the context of the victim's browser. Exploitation of this vulnerability could occur when the victim attempts to send an email, potentially leading to redirection to malicious sites, theft of non-HttpOnly cookies, injection of arbitrary HTML or CSS, and execution of actions as the authenticated user.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, send a GET request to the AddressBook.aspx page with a crafted payload in the FieldCc parameter. The payload should be designed to terminate the existing LoadCurAddresses() function, inject attacker-controlled script, and comment out any remaining code. Once the payload is executed, the injected script will run in the victim's browser when they attempt to send an email.

Remediation

Users are advised to update to MailEnable version 10.54 or later, where this vulnerability has been fixed.