MailEnable < 10.55 Reflected XSS via FreeBusy.aspx Attendees Parameter

MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the Attendees parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

MailEnable 跨站脚本漏洞

MailEnable是澳大利亚MailEnable公司的一个基于 Windows 的商业电子邮件服务器。 MailEnable 10.55之前版本存在跨站脚本漏洞，该漏洞源于Webmail接口中FreeBusy.aspx表单的Attendees参数清理不当，可能导致反射型跨站脚本攻击。

N/A

N/A