Plesk for Windows
kb: technical
mail
kb: security
Symptoms
- Vulnerability in the latest version of MailEnable 10.53
- The https://webmail.example.com/Mondo/lang/sys/Failure.aspx?state=19753%22;}alert(%27Plesk%20Test%27);function%20test(){%22 link has a cross-site scripting vulnerability in MailEnable:
Cause
Known vulnerability CVE-2025-44148.
Resolution
The case was discussed with the security team. We are shipping the MailEnable package as is (MailEnable exe file downloaded from their official website, and Plesk does not modify its installation). This means we cannot upgrade the downloadable package on our side. The only thing here is to wait until MailEnable releases a hotfix for this vulnerability. As soon as MailEnable publishes the patch, we will add it to the Plesk release.
MailEnable provided a manual fix:
https://www.mailenable.com/rss/article.asp?Source=RSSADMIN&ID=SECURITY1053
- Connect to the Plesk server via RDP.
- Download the file from the link above
- Replace it in
C:\Program Files (x86)\Mail Enable\Bin\NETWebMail\Mondo\lang\sysfolder
Comments
Please sign in to leave a comment.