MailEnable Reflected Cross-Site Scripting Vulnerability in Webmail Interface

A reflected cross-site scripting vulnerability has been identified in the MailEnable webmail interface, specifically in versions prior to 10.55. This vulnerability allows remote attackers to execute arbitrary JavaScript in the context of the victim's browser. The issue arises from the FreeBusy.aspx form, where the Attendees parameter is not properly sanitized before being inserted into dynamically generated JavaScript. As a result, attackers can craft malicious URLs that, when clicked by victims, execute the injected JavaScript in their browsers.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, send a crafted URL that includes a malicious payload in the Attendees parameter of the FreeBusy.aspx page. When the victim clicks the link, the application reflects the unsanitized input into the JavaScript context, executing the injected script.

Remediation

Users are advised to upgrade to MailEnable version 10.55 or later.