Volerion logoVolerion
Volerion logoVolerion

MailEnable Reflected Cross-Site Scripting Vulnerability in Webmail Interface

Vulnerability

A reflected cross-site scripting vulnerability has been identified in the MailEnable webmail interface, affecting versions prior to 10.55. This vulnerability allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. The issue arises in the FreeBusy.aspx form, where the StartDate parameter is not properly sanitized before being embedded into dynamically generated JavaScript, enabling the injection of malicious code.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, send a request to the FreeBusy.aspx page with a crafted StartDate parameter that includes unsanitized JavaScript. The application will reflect the injected script into the JavaScript context of the page, executing it in the victim's browser.

Remediation

Users are advised to upgrade to MailEnable version 10.55 or later.

Added: Mar 23, 2026, 8:23 PM
Updated: Mar 23, 2026, 8:23 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
1.7
exploitability
7.7
remediation
7.7
relevance
4.6
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.