CVE-2019-12923
MEDIUMMailEnable 6.0-<6.90 - Cross-Site Request Forgery via Anti-CSRF Token Removal
Title source: llmDescription
In MailEnable Enterprise Premium 10.23, the potential cross-site request forgery (CSRF) protection mechanism was not implemented correctly and it was possible to bypass it by removing the anti-CSRF token parameter from the request. This could allow an attacker to manipulate a user into unwittingly performing actions within the application (such as sending email, adding contacts, or changing settings) on behalf of the attacker.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_confirm
http://www.mailenable.com/Premium-ReleaseNotes.txt
Release Notes, Third Party Advisory x_refsource_misc
https://www.nccgroup.trust/uk/our-research/technical-advisory-multiple-vulnerabilities-in-mailenable/
Scores
CVSS v3
6.5
EPSS
0.0057
EPSS Percentile
43.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-352
Status
published
Products (1)
mailenable/mailenable
6.0 - 6.90
Published
Jul 08, 2019
Tracked Since
Feb 18, 2026