CVE-2025-34407

Name of the Vulnerable Software and Affected Versions MailEnable versions prior to 10.54

Description MailEnable versions prior to 10.54 contain a reflected cross-site scripting (XSS) issue in the theme parameter of the ''/Mondo/lang/sys/Forms/Statistics.aspx'' endpoint. The theme value is not adequately sanitized when handled through a GET request and is echoed in the response. This allows an attacker to inject arbitrary script, potentially breaking out of an iframe context. Successful exploitation could redirect victims to malicious sites, steal cookies, or inject HTML/CSS, and perform actions as an authenticated user.

Recommendations Update MailEnable to version 10.54 or later.