CVE-2025-34401 – MailEnable versions before 10.54 contain a refl... (How to Fix)

Q: What is the severity of CVE-2025-34401?

CVE-2025-34401 has a CVSS score of 6.1 (MEDIUM). MailEnable versions before 10.54 contain a reflected XSS vulnerability in the AddressBook.aspx FieldBcc parameter. Attackers can craft malicious URLs that execute JavaScript in victims' browsers when clicked, potentially stealing session cookies or performing actions as the authenticated user. This affects all MailEnable users with vulnerable versions exposed to untrusted networks.

📋 TL;DR

MailEnable versions before 10.54 contain a reflected XSS vulnerability in the AddressBook.aspx FieldBcc parameter. Attackers can craft malicious URLs that execute JavaScript in victims' browsers when clicked, potentially stealing session cookies or performing actions as the authenticated user. This affects all MailEnable users with vulnerable versions exposed to untrusted networks.

💻 Affected Systems

Products:

MailEnable

Versions: All versions prior to 10.54

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the webmail interface component of MailEnable when accessible via browser.

📦 What is this software?

Mailenable by Mailenable

View all CVEs affecting Mailenable →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal authenticated session cookies, hijack user accounts, redirect to phishing sites, and perform unauthorized email operations as the victim.

🟠

Likely Case

Attackers steal non-HttpOnly session cookies to hijack authenticated sessions, potentially accessing email accounts and sensitive communications.

🟢

If Mitigated

With proper input validation and output encoding, the attack fails to execute malicious scripts, limiting impact to parameter reflection without code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires victim interaction (clicking malicious link) but uses standard XSS techniques with no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.54

Vendor Advisory: https://mailenable.com/Standard-ReleaseNotes.txt

Restart Required: Yes

Instructions:

1. Download MailEnable version 10.54 or later from vendor website. 2. Backup current installation. 3. Run installer to upgrade. 4. Restart MailEnable services. 5. Verify version shows 10.54 or higher.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement web application firewall or input validation to sanitize FieldBcc parameter values containing script tags or JavaScript syntax.

Access Restriction

all

Restrict access to /Mondo/lang/sys/Forms/AddressBook.aspx to trusted IP addresses only.

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to block inline script execution.
Deploy web application firewall with XSS protection rules to filter malicious payloads.

🔍 How to Verify

Check if Vulnerable:

Test by accessing https://[mailserver]/Mondo/lang/sys/Forms/AddressBook.aspx?FieldBcc=test%22%3E%3Cscript%3Ealert(1)%3C/script%3E and checking if script executes.

Check Version:

Check MailEnable Admin Console or registry key: HKEY_LOCAL_MACHINE\SOFTWARE\MailEnable\Mail Enable\Version

Verify Fix Applied:

After patching, repeat the test payload; script should not execute and input should be properly encoded.

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests to AddressBook.aspx with FieldBcc parameter containing script tags, JavaScript functions, or encoded payloads.

Network Indicators:

Unusual outbound connections from mail server to external domains following access to AddressBook.aspx.

SIEM Query:

source="web_logs" AND uri_path="/Mondo/lang/sys/Forms/AddressBook.aspx" AND query_string="*FieldBcc=*script*"

📊 Metadata

CVE ID: CVE-2025-34401

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (3th percentile)

Published: December 9, 2025

Last Updated: December 9, 2025

🔗 References

https://mailenable.com/Standard-ReleaseNotes.txt Release Notes
https://www.mailenable.com/ Product
https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-fieldbcc-parameter-of-addressbook-aspx Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34401, you might also want to check these: