← Zuruck zu CVEs
CVE-2026-32852
MEDIUM6.1
Beschreibung
MailEnable versions prior to 10.55 contain a reflected cross-site scripting vulnerability in the webmail interface that allows remote attackers to execute arbitrary JavaScript in a victim's browser by crafting a malicious URL. Attackers can inject malicious code through the StartDate parameter in the FreeBusy.aspx form, which is not properly sanitized before being embedded into dynamically generated JavaScript.
CVE Details
CVSS v3.1 Bewertung6.1
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionREQUIRED
Veroffentlicht3/23/2026
Zuletzt geandert3/30/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
mailenable:mailenable
Schwachen (CWE)
CWE-79
Referenzen
https://karmainsecurity.com/KIS-2026-05(disclosure@vulncheck.com)
https://mailenable.com/Standard-ReleaseNotes.txt(disclosure@vulncheck.com)
https://www.mailenable.com/(disclosure@vulncheck.com)
https://www.mailenable.com/rss/article.asp?Source=RSSADMIN&ID=MAILENABLEVERSION1055(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/mailenable-reflected-xss-via-freebusy-aspx-startdate-parameter(disclosure@vulncheck.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.