ME020567 - BUG: Cross-site Scripting vulnerability in MailEnable webmail


MailEnable Professional and Enterprise versions are prone to cross-site scripting vulnerabilities as the user-supplied input received via "Username" parameter of "ForgottonPassword.aspx" page is not properly sanitized (CVE-2012-0389). A specially crafted URL which a user clicks could gain access to the users cookies for webmail. The affected versions of MailEnable are:

MailEnable Professional, Enterprise & Premium 4.26 and earlier
MailEnable Professional, Enterprise & Premium 5.52 and earlier
MailEnable Professional, Enterprise & Premium 6.02 and earlier

MailEnable Standard is not affected.


This is caused by the input to the forgotten password page (specifically the username) not being sanitised.


Users of MailEnable 5 and 6 can resolve the issue by upgrading to version 5.53 or 6.03 or later. Alternatively, and for version 4 users, the following fix can be applied:

  1. Open the ForgottenPassword.aspx file in Notepad. This file is in the Mail Enable\bin\NETWebMail\Mondo\lang\[language] folders in version 4 and in Mail Enable\bin\NETWebMail\Mondo\lang\sys in version 5 and 6.
  2. Locate and remove the following line, then save the file 

         document.getElementById("txtUsername").value = '<%= Request.Item("Username") %>'<%= Request.Item("Username") %>;


CVE Identifier for this vulnerability is CVE-2012-0389.


Product: MailEnable
Category: Other
Module: General
Class: BUG: Product Defect/Bug
Revision Date:Wed, 04 May 2016 14:26:06 +1000