MailEnable Reflected Cross-Site Scripting Vulnerability in WindowContext Parameter of MAI/compose.aspx

A reflected cross-site scripting vulnerability has been identified in MailEnable versions prior to 10.54. The issue resides in the WindowContext parameter of the compose.aspx page within the webmail interface. The vulnerability arises because the WindowContext value is not properly sanitized when processed via a GET request. This allows an attacker to inject arbitrary JavaScript by breaking out of the existing script context and exploiting the JavaScript variable window.location. Exploitation involves crafting a payload that disrupts a specific JavaScript function, inserts malicious script, and comments out the remaining code. When the victim clicks a malicious link or sends an email, the injected script executes in their browser. This could lead to redirection to harmful sites, theft of non-HttpOnly cookies, injection of arbitrary HTML or CSS, and actions performed as the authenticated user.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser.