Mushroomsecteam

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 have an issue where an unsafe Dynamic Link Library (DLL) loading process can allow a local attacker to execute arbitrary code. The MailEnable administrative executable loads `MEAIPO.DLL` from the installation directory without proper validation. An attacker with write access to this directory can place a malicious `MEAIPO.DLL` file, which will then be executed when the administrative executable starts, granting the attacker the privileges of the process. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 have an issue where an unsafe Dynamic Link Library (DLL) loading process can allow a local attacker to execute arbitrary code. The MailEnable administrative executable loads `MEAISO.DLL` from its installation directory without proper validation. An attacker with write access to this directory can place a malicious `MEAISO.DLL` file, which will then be executed when the administrative executable starts, granting the attacker the privileges of the process. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 have an unsafe DLL loading issue that could allow a local attacker to execute arbitrary code. The MailEnable administrative executable loads `MEAIMF.DLL` from the installation directory without proper validation. An attacker with write access to this directory can place a malicious `MEAIMF.DLL` file, which will then be executed when the application starts, granting the attacker the privileges of the process. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 have an issue where an attacker can execute code on the system. This happens because the MailEnable administrative executable loads `MEAISM.DLL` from the installation directory without proper checks. A local attacker who can write to that directory can place a malicious `MEAISM.DLL` file there. When the executable starts, it loads this malicious file, allowing the attacker to run code with the same permissions as the process. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 have an unsafe DLL loading issue that could allow a local attacker to run arbitrary code. The MailEnable administrative executable loads `MEAIAM.DLL` from the installation directory without proper checks. An attacker with write access to this directory can place a malicious `MEAIAM.DLL` file, which will then be executed with the privileges of the process. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 have an issue where the software loads DLLs unsafely, potentially allowing a local attacker to run arbitrary code. The MailEnable administrative executable loads `MEAISP.DLL` from the installation directory without proper checks. An attacker with write access to this directory can place a malicious `MEAISP.DLL` file, which will then be executed with the privileges of the process. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 have an issue where the software loads DLLs in an insecure manner, potentially allowing a local attacker to execute arbitrary code. Specifically, the MailEnable administrative executable attempts to load `MEAIPC.DLL` from its installation directory without proper validation. An attacker with write access to this directory can place a malicious `MEAIPC.DLL` file, which will then be executed with the privileges of the process. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 have an unsafe DLL loading issue that could allow a local attacker to execute arbitrary code. The MailEnable administrative executable loads `MEAIAU.DLL` from the installation directory without proper validation. An attacker with write access to this directory can place a malicious `MEAIAU.DLL` file, which will then be executed with the privileges of the process. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 have an issue where the software loads DLLs unsafely, potentially allowing a local attacker to run arbitrary code. The MailEnable administrative executable loads `MEAIDP.DLL` from the installation directory without proper checks. An attacker with write access to this directory can place a malicious `MEAIDP.DLL` file, which will then be executed with the privileges of the process. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 store user and administrative passwords in plaintext within the `AUTH.TAB` file, which has overly permissive filesystem access. A local authenticated user with read access to this file can recover all user passwords and super-admin credentials. These credentials can then be used to authenticate to MailEnable services such as POP3, SMTP, or the webmail interface, potentially enabling unauthorized mailbox access and administrative control. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 store user and administrative passwords in plaintext within the `AUTH.SAV` file, which has overly permissive filesystem access. A local authenticated user with read access to this file can recover all user passwords and super-admin credentials. These credentials can then be used to authenticate to MailEnable services such as POP3, SMTP, or the webmail interface, enabling unauthorized mailbox access and administrative control. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** The software contains a reflected cross-site scripting (XSS) issue in the `Added` parameter of the ''/Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx'' endpoint. The `Added` value is not properly sanitized when processed via a GET request and is reflected in the response, allowing an attacker to inject arbitrary script. An attacker can supply a crafted payload that closes an existing HTML list element, inserts attacker-controlled JavaScript, and comments out remaining code, leading to script execution in a victim’s browser when the victim visits a malicious link. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 have an unsafe DLL loading issue that could allow a local attacker to execute arbitrary code. The MailEnable administrative executable attempts to load `MEAINFY.DLL` from its application directory without proper validation. If the DLL is missing or an attacker can write to locations in the search path, they can place a malicious `MEAINFY.DLL`. When the executable is run, it loads the attacker-controlled library and executes code with the process's privileges, potentially leading to local privilege escalation if the process is running with elevated rights. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the `WindowContext` parameter of the ''/Mondo/lang/sys/Forms/MAI/compose.aspx'' endpoint. The `WindowContext` value is not properly sanitized when processed via a GET request and is reflected within a <script> context in the JavaScript variable `window.location`, allowing an attacker to inject arbitrary JavaScript. An attacker can supply a crafted payload that terminates the `ProcessContextSwitchResult()` function, inserts attacker-controlled script, and comments out remaining code, leading to script execution in a victim’s browser when the victim visits a malicious link or attempts to send an email. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** The software contains a reflected cross-site scripting (XSS) issue in the `Failed` parameter of the ''/Mondo/lang/sys/Forms/MAI/AddRecipientsResult.aspx'' endpoint. The `Failed` value is not properly sanitized when processed via a GET request and is reflected in the response, allowing an attacker to inject arbitrary script. An attacker can supply a crafted payload to close an existing HTML list element, insert attacker-controlled JavaScript, and comment out remaining code, leading to script execution in a victim’s browser when the victim visits a malicious link. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. **Recommendations** Update to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) vulnerability in the `Message` parameter of the ''/Mobile/Compose.aspx'' API endpoint. The `Message` value is not properly sanitized when processed via a GET request and is reflected into a JavaScript context in the response. An attacker can execute arbitrary JavaScript in a victim’s browser by supplying a crafted payload that terminates the existing script block/function, injects attacker-controlled JavaScript, and comments out the remaining code when the victim opens the crafted reply URL. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) issue in the `AddressesBcc` parameter of the ''/Mondo/lang/sys/Forms/AddressBook.aspx'' endpoint. The `AddressesBcc` value is not properly sanitized when processed via a GET request and is reflected within a <script> block in the JavaScript variable `sAddrBcc`. An attacker can execute arbitrary JavaScript in a victim’s browser by supplying a crafted payload that terminates the `LoadCurAddresses()` function, inserts attacker-controlled script, and comments out remaining code. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, and perform actions as the authenticated user. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) issue in the `AddressesCc` parameter of the ''/Mondo/lang/sys/Forms/AddressBook.aspx'' endpoint. The `AddressesCc` value is not properly sanitized when processed via a GET request and is reflected within a <script> block in the JavaScript variable `sAddrCc`. An attacker can execute arbitrary JavaScript in a victim’s browser by supplying a crafted payload that terminates the `LoadCurAddresses()` function, inserts attacker-controlled script, and comments out remaining code. Successful exploitation could redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) issue in the `AddressesTo` parameter of the ''/Mondo/lang/sys/Forms/AddressBook.aspx'' endpoint. The `AddressesTo` value is not properly sanitized when processed via a GET request and is reflected within a `<script>` block in the response. A remote attacker can execute arbitrary JavaScript in a victim’s browser when the victim attempts to send an email by supplying a crafted payload that terminates existing JavaScript, inserts attacker-controlled script, and comments out remaining code. Successful exploitation can redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. **Recommendations** Update MailEnable to version 10.54 or later.

**Name of the Vulnerable Software and Affected Versions** MailEnable versions prior to 10.54 **Description** The software contains a reflected cross-site scripting (XSS) issue in the `FieldBcc` parameter of the ''/Mondo/lang/sys/Forms/AddressBook.aspx'' endpoint. The `FieldBcc` value is not properly sanitized when processed via a GET request and is reflected inside a <script> block in the JavaScript variable `BCCFieldProvided`. An attacker can execute arbitrary JavaScript in a victim’s browser during normal email composition by supplying a crafted payload that terminates the existing `LoadCurAddresses()` function, inserts attacker-controlled script, and comments out remaining code. Successful exploitation could redirect victims to malicious sites, steal non-HttpOnly cookies, inject arbitrary HTML or CSS, and perform actions as the authenticated user. **Recommendations** Update to version 10.54 or later.