📄 MailEnable 10.54 Cross Site Scripting

---------------------------------------------------------------------------
    MailEnable <= 10.54 Multiple Reflected Cross-Site Scripting Vulnerabilities
    ---------------------------------------------------------------------------
    
    
    [-] Software Link:
    
    https://www.mailenable.com
    
    
    [-] Affected Versions:
    
    Version 10.54 and prior versions.
    
    
    [-] Vulnerabilities Description:
    
    1) Vulnerable code in ManageShares.aspx
    
    User input passed through the "SelectedIndex" GET parameter to the
    /Mondo/lang/sys/Forms/ManageShares.aspx page is not properly sanitized
    before being used to generate JavaScript code, allowing an attacker to
    break out of the existing function and inject arbitrary JavaScript.
    This can be exploited by attackers to perform Reflected Cross-Site
    Scripting (XSS) attacks.
    
    Proof of Concept:
    https://[MailEnable_WebMail]/Mondo/lang/sys/Forms/ManageShares.aspx?SelectedIndex=%27;}alert(%27XSS%27);function%20x(){return%27
    
    An attacker can use a crafted link like the one above to trick a
    victim user into issuing a request containing a malicious payload. The
    application reflects unsanitized input into JavaScript code, enabling
    execution of arbitrary script in the victim's browser.
    
    2) Vulnerable code in FreeBusy.aspx
    
    User input passed through the "Attendees" GET parameter to the
    /Mondo/lang/sys/Forms/CAL/FreeBusy.aspx page is not properly sanitized
    before being used to generate JavaScript code, allowing an attacker to
    break out of the existing function and inject arbitrary JavaScript.
    This can be exploited by attackers to perform Reflected Cross-Site
    Scripting (XSS) attacks.
    
    Proof of Concept:
    https://[MailEnable_WebMail]/Mondo/lang/sys/Forms/CAL/FreeBusy.aspx?Attendees=%27);}alert(%27XSS%27);function%20x(){return%20x(%27
    
    An attacker can use a crafted link like the one above to trick a
    victim user into issuing a request containing a malicious payload. The
    application reflects unsanitized input into JavaScript code, enabling
    execution of arbitrary script in the victim's browser.
    
    3) Vulnerable code in FreeBusy.aspx
    
    User input passed through the "StartDate" GET parameter to the
    /Mondo/lang/sys/Forms/CAL/FreeBusy.aspx page is not properly sanitized
    before being used to generate JavaScript code, allowing an attacker to
    break out of the existing function and inject arbitrary JavaScript.
    This can be exploited by attackers to perform Reflected Cross-Site
    Scripting (XSS) attacks.
    
    Proof of Concept:
    https://[MailEnable_WebMail]/Mondo/lang/sys/Forms/CAL/FreeBusy.aspx?StartDate=%27);}alert(%27XSS%27);function%20x(){return%20x(%27
    
    An attacker can use a crafted link like the one above to trick a
    victim user into issuing a request containing a malicious payload. The
    application reflects unsanitized input into JavaScript code, enabling
    execution of arbitrary script in the victim's browser.
    
    
    [-] Solution:
    
    Upgrade to version 10.55 or later.
    
    
    [-] Disclosure Timeline:
    
    [24/02/2026] - Vendor notified
    
    [02/03/2026] - Vendor released version 10.55, including fixes for
    these vulnerabilities
    
    [02/03/2026] - CVE identifier requested
    
    [23/03/2026] - Public disclosure
    
    
    [-] CVE Reference:
    
    The Common Vulnerabilities and Exposures project (cve.org) has not
    assigned a CVE identifier for these vulnerabilities.
    
    
    [-] Credits:
    
    Vulnerabilities discovered by Egidio Romano.
    
    
    [-] Other References:
    
    https://www.mailenable.com/rss/article.asp?Source=RSSADMIN&ID=MAILENABLEVERSION1055
    
    
    [-] Original Advisory:
    
    https://karmainsecurity.com/KIS-2026-05