MailEnable < 10.54 Reflected XSS in theme Parameter of Statistics.aspx

MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the theme parameter of /Mondo/lang/sys/Forms/Statistics.aspx. The theme value is insufficiently sanitized when processed via a GET request and is reflected in the response, allowing an attacker to break out of an existing iframe context and inject arbitrary script. A remote attacker can supply a crafted payload that closes the iframe tag, inserts attacker-controlled JavaScript, and comments out remaining code, leading to script execution in a victim’s browser when the victim visits a malicious link. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

MailEnable 跨站脚本漏洞

MailEnable是澳大利亚MailEnable公司的一个基于 Windows 的商业电子邮件服务器。 MailEnable 10.54之前版本存在跨站脚本漏洞，该漏洞源于/Mondo/lang/sys/Forms/Statistics.aspx中theme参数清理不当，可能导致反射型跨站脚本攻击。

N/A

N/A