Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to execute arbitrary code via the failure.aspx component
An attacker exploits the vulnerable failure.aspx component, to which it is possible to submit a malicious payload without authentication and without user interaction on the server side. The injected XSS code is then executed in the context of the application, which according to the description can lead to arbitrary code execution (RCE). The attack is possible remotely over the network, without special privileges or complex conditions.
An attacker can execute arbitrary code in the context of the application or victim's browser, potentially leading to system takeover, data theft, or further lateral movement in the network.
MailEnable should be updated to version 10 or newer according to vendor information available at mailenable.com
MailEnable in all versions before version 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMailenable
APPMailenable< 10.00
Related vulnerabilities
MailEnable Enterprise Premium 10.23 was vulnerable to XML External Entity Injection (XXE) attacks that could b...
MailEnable before 8.60 allows Directory Traversal for reading the messages of other users, uploading files, an...
MailEnable before 8.60 allows Privilege Escalation because admin accounts could be created as a consequence of...
MailEnable before 8.60 allows XXE via an XML document in the request.aspx Options parameter.
MailEnable Enterprise Premium 10.55 and earlier contains an improper authorization vulnerability in the WebAdm...