CVE-2007-0651

Name of the Vulnerable Software and Affected Versions MailEnable Professional versions prior to 2.37

Description The issue allows remote attackers to inject arbitrary Javascript script, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via e-mail messages or by manipulating the ID parameter in specific API endpoints, such as "right.asp", "Forms/MAI/list.asp", and "Forms/VCF/list.asp" in the "mewebmail/base/default/lang/EN/" directory.

Recommendations For MailEnable Professional versions prior to 2.37, update to version 2.37 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "right.asp", "Forms/MAI/list.asp", and "Forms/VCF/list.asp", until a patch is applied. Avoid using the ID parameter in these endpoints to minimize the risk of exploitation.