Login Sign Up

CVE-2025-34407

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

MailEnable versions before 10.54 contain a reflected cross-site scripting vulnerability in the theme parameter of Statistics.aspx. Attackers can craft malicious links that execute JavaScript in victims' browsers when clicked, potentially stealing cookies or performing actions as authenticated users. This affects all MailEnable installations using vulnerable versions.

💻 Affected Systems

Products:
  • MailEnable
Versions: All versions prior to 10.54
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web interface component of MailEnable. Requires user interaction (clicking malicious link).

📦 What is this software?

Mailenable by Mailenable

View all CVEs affecting Mailenable →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal authentication cookies, hijack user sessions, redirect to malicious sites, and perform administrative actions as authenticated users.

🟠

Likely Case

Attackers steal non-HttpOnly session cookies and hijack user sessions, potentially accessing email accounts or administrative functions.

🟢

If Mitigated

With HttpOnly cookies and proper input validation, impact reduces to limited HTML/CSS injection or temporary page defacement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction via malicious link. Payload examples available in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.54

Vendor Advisory: https://mailenable.com/Standard-ReleaseNotes.txt

Restart Required: Yes

Instructions:

1. Download MailEnable version 10.54 or later from official website. 2. Run installer to upgrade existing installation. 3. Restart MailEnable services. 4. Verify version in administration interface.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement web application firewall or input validation to sanitize theme parameter

Disable Statistics Page

windows

Remove or restrict access to /Mondo/lang/sys/Forms/Statistics.aspx

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to prevent script execution
  • Configure web application firewall to block XSS payloads in theme parameter

🔍 How to Verify

Check if Vulnerable:

Access /Mondo/lang/sys/Forms/Statistics.aspx?theme=<script>alert('test')</script> and check if script executes

Check Version:

Check MailEnable version in administration interface or program files properties

Verify Fix Applied:

After patching, test same payload - script should not execute and input should be properly sanitized

📡 Detection & Monitoring

Log Indicators:

  • HTTP GET requests to Statistics.aspx with script tags or JavaScript in theme parameter
  • Unusual length or character patterns in theme parameter values

Network Indicators:

  • HTTP requests containing <script>, javascript:, or other XSS payloads in URL parameters

SIEM Query:

source="web_logs" AND url="*Statistics.aspx*" AND (url="*<script>*" OR url="*javascript:*")

📊 Metadata

CVE ID: CVE-2025-34407
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.02% exploit probability (4.5th percentile)
Published: December 9, 2025
Last Updated: December 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34407, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)