Search criteria
21 vulnerabilities found for roundcube_webmail by roundcube
CVE-2015-5383 (GCVE-0-2015-5383)
Vulnerability from nvd – Published: 2017-05-23 03:56 – Updated: 2024-08-06 06:50
VLAI
Summary
Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2015/07/07/2 | mailing-listx_refsource_MLIST |
| https://github.com/roundcube/roundcubemail/commit… | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/issues/4816 | x_refsource_CONFIRM |
| https://roundcube.net/news/2015/06/05/updates-1.1… | x_refsource_CONFIRM |
Date Public
2015-06-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:50:00.802Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/012555c1cef35601b543cde67bff8726de97eb39"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4816"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-23T01:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/commit/012555c1cef35601b543cde67bff8726de97eb39"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4816"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5383",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/012555c1cef35601b543cde67bff8726de97eb39",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/commit/012555c1cef35601b543cde67bff8726de97eb39"
},
{
"name": "https://github.com/roundcube/roundcubemail/issues/4816",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/issues/4816"
},
{
"name": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released",
"refsource": "CONFIRM",
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5383",
"datePublished": "2017-05-23T03:56:00.000Z",
"dateReserved": "2015-07-06T00:00:00.000Z",
"dateUpdated": "2024-08-06T06:50:00.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5382 (GCVE-0-2015-5382)
Vulnerability from nvd – Published: 2017-05-23 03:56 – Updated: 2024-08-06 06:50
VLAI
Summary
program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2015/07/07/2 | mailing-listx_refsource_MLIST |
| https://github.com/roundcube/roundcubemail/commit… | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/commit… | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/issues/4817 | x_refsource_CONFIRM |
| https://roundcube.net/news/2015/06/05/updates-1.1… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2015/07/07/3 | mailing-listx_refsource_MLIST |
Date Public
2015-06-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:50:00.830Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/e84fafcec22e7b460db03248dc23ed6b053b15c9"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/6ccd4c54bcc4cb77365defabe8bbe7d10b2620d4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4817"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"name": "[oss-security] 20150707 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-23T01:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/commit/e84fafcec22e7b460db03248dc23ed6b053b15c9"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/commit/6ccd4c54bcc4cb77365defabe8bbe7d10b2620d4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4817"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"name": "[oss-security] 20150707 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5382",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/e84fafcec22e7b460db03248dc23ed6b053b15c9",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/commit/e84fafcec22e7b460db03248dc23ed6b053b15c9"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/6ccd4c54bcc4cb77365defabe8bbe7d10b2620d4",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/commit/6ccd4c54bcc4cb77365defabe8bbe7d10b2620d4"
},
{
"name": "https://github.com/roundcube/roundcubemail/issues/4817",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/issues/4817"
},
{
"name": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released",
"refsource": "CONFIRM",
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"name": "[oss-security] 20150707 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5382",
"datePublished": "2017-05-23T03:56:00.000Z",
"dateReserved": "2015-07-06T00:00:00.000Z",
"dateUpdated": "2024-08-06T06:50:00.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5381 (GCVE-0-2015-5381)
Vulnerability from nvd – Published: 2017-05-23 03:56 – Updated: 2024-08-06 06:50
VLAI
Summary
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2015/07/07/2 | mailing-listx_refsource_MLIST |
| http://trac.roundcube.net/ticket/1490417 | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/issues/4837 | x_refsource_CONFIRM |
| https://roundcube.net/news/2015/06/05/updates-1.1… | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/commit… | x_refsource_CONFIRM |
Date Public
2015-06-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:50:00.833Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.roundcube.net/ticket/1490417"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4837"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/b782815dacda55eee6793249b5da1789256206fc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-23T01:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.roundcube.net/ticket/1490417"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4837"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/commit/b782815dacda55eee6793249b5da1789256206fc"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5381",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"name": "http://trac.roundcube.net/ticket/1490417",
"refsource": "CONFIRM",
"url": "http://trac.roundcube.net/ticket/1490417"
},
{
"name": "https://github.com/roundcube/roundcubemail/issues/4837",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/issues/4837"
},
{
"name": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released",
"refsource": "CONFIRM",
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/b782815dacda55eee6793249b5da1789256206fc",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/commit/b782815dacda55eee6793249b5da1789256206fc"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5381",
"datePublished": "2017-05-23T03:56:00.000Z",
"dateReserved": "2015-07-06T00:00:00.000Z",
"dateUpdated": "2024-08-06T06:50:00.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4068 (GCVE-0-2016-4068)
Vulnerability from nvd – Published: 2017-04-13 14:00 – Updated: 2024-08-06 00:17
VLAI
Summary
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
| URL | Tags |
|---|---|
| http://lists.opensuse.org/opensuse-updates/2016-0… | vendor-advisoryx_refsource_SUSE |
| https://github.com/roundcube/roundcubemail/wiki/C… | x_refsource_CONFIRM |
| http://lists.opensuse.org/opensuse-updates/2016-0… | vendor-advisoryx_refsource_SUSE |
| https://github.com/roundcube/roundcubemail/releas… | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/commit… | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/issues/4949 | x_refsource_CONFIRM |
| http://lists.opensuse.org/opensuse-updates/2016-0… | vendor-advisoryx_refsource_SUSE |
| https://github.com/roundcube/roundcubemail/releas… | x_refsource_CONFIRM |
Date Public
2016-01-06 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:17:30.877Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2016:2108",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
},
{
"name": "openSUSE-SU-2016:2109",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"name": "openSUSE-SU-2016:2127",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-13T12:57:01.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "openSUSE-SU-2016:2108",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
},
{
"name": "openSUSE-SU-2016:2109",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"name": "openSUSE-SU-2016:2127",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2016-4068",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2016:2108",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"name": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
},
{
"name": "openSUSE-SU-2016:2109",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218"
},
{
"name": "https://github.com/roundcube/roundcubemail/issues/4949",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"name": "openSUSE-SU-2016:2127",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2016-4068",
"datePublished": "2017-04-13T14:00:00.000Z",
"dateReserved": "2016-04-23T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:17:30.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8864 (GCVE-0-2015-8864)
Vulnerability from nvd – Published: 2017-04-13 14:00 – Updated: 2024-08-06 08:29
VLAI
Summary
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/roundcube/roundcubemail/commit… | x_refsource_CONFIRM |
| http://lists.opensuse.org/opensuse-updates/2016-0… | vendor-advisoryx_refsource_SUSE |
| https://github.com/roundcube/roundcubemail/wiki/C… | x_refsource_CONFIRM |
| http://lists.opensuse.org/opensuse-updates/2016-0… | vendor-advisoryx_refsource_SUSE |
| https://github.com/roundcube/roundcubemail/releas… | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/issues/4949 | x_refsource_CONFIRM |
| http://lists.opensuse.org/opensuse-updates/2016-0… | vendor-advisoryx_refsource_SUSE |
| https://github.com/roundcube/roundcubemail/releas… | x_refsource_CONFIRM |
Date Public
2015-12-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:29:22.023Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18"
},
{
"name": "openSUSE-SU-2016:2108",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
},
{
"name": "openSUSE-SU-2016:2109",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"name": "openSUSE-SU-2016:2127",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-12-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-13T12:57:01.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18"
},
{
"name": "openSUSE-SU-2016:2108",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
},
{
"name": "openSUSE-SU-2016:2109",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"name": "openSUSE-SU-2016:2127",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2015-8864",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18"
},
{
"name": "openSUSE-SU-2016:2108",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"name": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
},
{
"name": "openSUSE-SU-2016:2109",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"name": "https://github.com/roundcube/roundcubemail/issues/4949",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"name": "openSUSE-SU-2016:2127",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2015-8864",
"datePublished": "2017-04-13T14:00:00.000Z",
"dateReserved": "2016-04-23T00:00:00.000Z",
"dateUpdated": "2024-08-06T08:29:22.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8794 (GCVE-0-2015-8794)
Vulnerability from nvd – Published: 2016-01-29 19:00 – Updated: 2024-09-16 22:20
VLAI
Summary
Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://roundcube.net/news/2015/06/05/updates-1.1… | x_refsource_CONFIRM |
| http://trac.roundcube.net/ticket/1490379 | x_refsource_CONFIRM |
| http://trac.roundcube.net/changeset/e84fafcec/github | x_refsource_CONFIRM |
| http://trac.roundcube.net/changeset/6ccd4c54b/github | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:29:21.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.roundcube.net/ticket/1490379"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.roundcube.net/changeset/e84fafcec/github"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.roundcube.net/changeset/6ccd4c54b/github"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-01-29T19:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.roundcube.net/ticket/1490379"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.roundcube.net/changeset/e84fafcec/github"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.roundcube.net/changeset/6ccd4c54b/github"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8794",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/",
"refsource": "CONFIRM",
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/"
},
{
"name": "http://trac.roundcube.net/ticket/1490379",
"refsource": "CONFIRM",
"url": "http://trac.roundcube.net/ticket/1490379"
},
{
"name": "http://trac.roundcube.net/changeset/e84fafcec/github",
"refsource": "CONFIRM",
"url": "http://trac.roundcube.net/changeset/e84fafcec/github"
},
{
"name": "http://trac.roundcube.net/changeset/6ccd4c54b/github",
"refsource": "CONFIRM",
"url": "http://trac.roundcube.net/changeset/6ccd4c54b/github"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8794",
"datePublished": "2016-01-29T19:00:00.000Z",
"dateReserved": "2016-01-29T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:20:24.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8770 (GCVE-0-2015-8770)
Vulnerability from nvd – Published: 2016-01-29 19:00 – Updated: 2024-08-06 08:29
VLAI
Summary
Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
12 references
| URL | Tags |
|---|---|
| https://security.gentoo.org/glsa/201603-03 | vendor-advisoryx_refsource_GENTOO |
| http://www.debian.org/security/2016/dsa-3541 | vendor-advisoryx_refsource_DEBIAN |
| http://trac.roundcube.net/changeset/10e5192a2b/github | x_refsource_CONFIRM |
| http://www.securityfocus.com/archive/1/537304/100… | mailing-listx_refsource_BUGTRAQ |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| https://roundcube.net/news/2015/12/26/updates-1.1… | x_refsource_CONFIRM |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://trac.roundcube.net/ticket/1490620 | x_refsource_CONFIRM |
| http://packetstormsecurity.com/files/135274/Round… | x_refsource_MISC |
| https://www.exploit-db.com/exploits/39245/ | exploitx_refsource_EXPLOIT-DB |
| https://www.htbridge.com/advisory/HTB23283 | x_refsource_MISC |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
Date Public
2015-12-21 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:29:21.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GLSA-201603-03",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201603-03"
},
{
"name": "DSA-3541",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3541"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.roundcube.net/changeset/10e5192a2b/github"
},
{
"name": "20160113 Remote Code Execution in Roundcube",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/537304/100/0/threaded"
},
{
"name": "openSUSE-SU-2016:0214",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00030.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/"
},
{
"name": "openSUSE-SU-2016:0210",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00028.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.roundcube.net/ticket/1490620"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/135274/Roundcube-1.1.3-Path-Traversal.html"
},
{
"name": "39245",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/39245/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23283"
},
{
"name": "openSUSE-SU-2016:0213",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00029.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-12-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "GLSA-201603-03",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201603-03"
},
{
"name": "DSA-3541",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3541"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.roundcube.net/changeset/10e5192a2b/github"
},
{
"name": "20160113 Remote Code Execution in Roundcube",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/537304/100/0/threaded"
},
{
"name": "openSUSE-SU-2016:0214",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00030.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/"
},
{
"name": "openSUSE-SU-2016:0210",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00028.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.roundcube.net/ticket/1490620"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/135274/Roundcube-1.1.3-Path-Traversal.html"
},
{
"name": "39245",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/39245/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23283"
},
{
"name": "openSUSE-SU-2016:0213",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00029.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8770",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "GLSA-201603-03",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201603-03"
},
{
"name": "DSA-3541",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3541"
},
{
"name": "http://trac.roundcube.net/changeset/10e5192a2b/github",
"refsource": "CONFIRM",
"url": "http://trac.roundcube.net/changeset/10e5192a2b/github"
},
{
"name": "20160113 Remote Code Execution in Roundcube",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/537304/100/0/threaded"
},
{
"name": "openSUSE-SU-2016:0214",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00030.html"
},
{
"name": "https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/",
"refsource": "CONFIRM",
"url": "https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/"
},
{
"name": "openSUSE-SU-2016:0210",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00028.html"
},
{
"name": "http://trac.roundcube.net/ticket/1490620",
"refsource": "CONFIRM",
"url": "http://trac.roundcube.net/ticket/1490620"
},
{
"name": "http://packetstormsecurity.com/files/135274/Roundcube-1.1.3-Path-Traversal.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/135274/Roundcube-1.1.3-Path-Traversal.html"
},
{
"name": "39245",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/39245/"
},
{
"name": "https://www.htbridge.com/advisory/HTB23283",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23283"
},
{
"name": "openSUSE-SU-2016:0213",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00029.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8770",
"datePublished": "2016-01-29T19:00:00.000Z",
"dateReserved": "2016-01-13T00:00:00.000Z",
"dateUpdated": "2024-08-06T08:29:21.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2015-5381
Vulnerability from fkie_nvd - Published: 2017-05-23 04:29 - Updated: 2026-05-13 00:24
Severity
Summary
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DDB20CBA-5A6E-4AAA-8ACF-91FF96488F4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "55D54918-3ADC-4424-8F00-2E546803D94C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:beta:*:*:*:*:*:*",
"matchCriteriaId": "F43DB37D-E806-4404-B589-5A987E6E0659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:rc:*:*:*:*:*:*",
"matchCriteriaId": "A4BB6095-C0D9-4D0A-9E8F-138BA1C19784",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI."
},
{
"lang": "es",
"value": "Vulnerabilidad de tipo Cross-site scripting (XSS) en program/include/rcmail.php en Roundcube Webmail, versiones 1.1.x anteriores a la 1.1.2, que permitir\u00eda a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a trav\u00e9s del par\u00e1metro _mbox en la URI por defecto."
}
],
"id": "CVE-2015-5381",
"lastModified": "2026-05-13T00:24:29.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-05-23T04:29:00.540",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "http://trac.roundcube.net/ticket/1490417"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/commit/b782815dacda55eee6793249b5da1789256206fc"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4837"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "http://trac.roundcube.net/ticket/1490417"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/commit/b782815dacda55eee6793249b5da1789256206fc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4837"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-5382
Vulnerability from fkie_nvd - Published: 2017-05-23 04:29 - Updated: 2026-05-13 00:24
Severity
Summary
program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| roundcube | roundcube_webmail | * | |
| roundcube | roundcube_webmail | 1.1.1 | |
| roundcube | webmail | 1.1 | |
| roundcube | webmail | 1.1 | |
| roundcube | webmail | 1.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8DD8E608-8097-4332-B75D-75FACA46A6DD",
"versionEndIncluding": "1.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DDB20CBA-5A6E-4AAA-8ACF-91FF96488F4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "55D54918-3ADC-4424-8F00-2E546803D94C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:beta:*:*:*:*:*:*",
"matchCriteriaId": "F43DB37D-E806-4404-B589-5A987E6E0659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:rc:*:*:*:*:*:*",
"matchCriteriaId": "A4BB6095-C0D9-4D0A-9E8F-138BA1C19784",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard."
},
{
"lang": "es",
"value": "program/steps/addressbook/photo.inc en Roundcube Webmail, en versiones anteriores a la 1.0.6 y 1.1.x anteriores a la 1.1.2, permitir\u00eda a usuarios remotos autenticados leer ficheros arbitrarios a trav\u00e9s del par\u00e1metro _alt parameter cuando cargamos una vCard."
}
],
"id": "CVE-2015-5382",
"lastModified": "2026-05-13T00:24:29.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-05-23T04:29:00.603",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/3"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/commit/6ccd4c54bcc4cb77365defabe8bbe7d10b2620d4"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/commit/e84fafcec22e7b460db03248dc23ed6b053b15c9"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4817"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/commit/6ccd4c54bcc4cb77365defabe8bbe7d10b2620d4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/commit/e84fafcec22e7b460db03248dc23ed6b053b15c9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4817"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-5383
Vulnerability from fkie_nvd - Published: 2017-05-23 04:29 - Updated: 2026-05-13 00:24
Severity
Summary
Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DDB20CBA-5A6E-4AAA-8ACF-91FF96488F4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "55D54918-3ADC-4424-8F00-2E546803D94C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:beta:*:*:*:*:*:*",
"matchCriteriaId": "F43DB37D-E806-4404-B589-5A987E6E0659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:rc:*:*:*:*:*:*",
"matchCriteriaId": "A4BB6095-C0D9-4D0A-9E8F-138BA1C19784",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory."
},
{
"lang": "es",
"value": "Roundcube Webmail versiones 1.1.x anteriores a la 1.1.2, permitir\u00eda a atacantes remotos obtener informaci\u00f3n sensible a trav\u00e9s de la lectura de ficheros en los directorios (1) config, (2) temp, o (3) logs."
}
],
"id": "CVE-2015-5383",
"lastModified": "2026-05-13T00:24:29.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-05-23T04:29:00.667",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/commit/012555c1cef35601b543cde67bff8726de97eb39"
},
{
"source": "cve@mitre.org",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4816"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/commit/012555c1cef35601b543cde67bff8726de97eb39"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-4068
Vulnerability from fkie_nvd - Published: 2017-04-13 14:59 - Updated: 2026-05-13 00:24
Severity
Summary
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4863BE36-D16A-4D75-90D9-FD76DB5B48B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DDB20CBA-5A6E-4AAA-8ACF-91FF96488F4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "879B0231-CCBE-46C6-A270-FAE9153083E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9F775761-4DC1-4A73-A809-0B0F267FA572",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B923FB14-6700-4341-B63B-B09414C5C077",
"versionEndIncluding": "1.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "55D54918-3ADC-4424-8F00-2E546803D94C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:beta:*:*:*:*:*:*",
"matchCriteriaId": "F43DB37D-E806-4404-B589-5A987E6E0659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:rc:*:*:*:*:*:*",
"matchCriteriaId": "A4BB6095-C0D9-4D0A-9E8F-138BA1C19784",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4994583F-12AE-485C-B76C-C914A06D98F4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864."
},
{
"lang": "es",
"value": "Vulnerabilidad XSS en Roundcube Webmail en versiones anteriores a 1.0.9 y 1.1.x en versiones anteriores a 1.1.5 permite a atacantes remotos inyectar scripts web o HTML a trav\u00e9s de un SVG manipulado, una vulnerabilidad diferente a CVE-2015-8864."
}
],
"id": "CVE-2016-4068",
"lastModified": "2026-05-13T00:24:29.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-13T14:59:01.713",
"references": [
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"source": "security@debian.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218"
},
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"source": "security@debian.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"source": "security@debian.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
},
{
"source": "security@debian.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-8864
Vulnerability from fkie_nvd - Published: 2017-04-13 14:59 - Updated: 2026-05-13 00:24
Severity
Summary
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4863BE36-D16A-4D75-90D9-FD76DB5B48B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DDB20CBA-5A6E-4AAA-8ACF-91FF96488F4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "879B0231-CCBE-46C6-A270-FAE9153083E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9F775761-4DC1-4A73-A809-0B0F267FA572",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B923FB14-6700-4341-B63B-B09414C5C077",
"versionEndIncluding": "1.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "55D54918-3ADC-4424-8F00-2E546803D94C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:beta:*:*:*:*:*:*",
"matchCriteriaId": "F43DB37D-E806-4404-B589-5A987E6E0659",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1:rc:*:*:*:*:*:*",
"matchCriteriaId": "A4BB6095-C0D9-4D0A-9E8F-138BA1C19784",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4994583F-12AE-485C-B76C-C914A06D98F4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068."
},
{
"lang": "es",
"value": "La vulnerabilidad XSS en Roundcube Webmail en versiones anteriores a 1.0.9 y 1.1.x en versiones anteriores a 1.1.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de un SVG manipulado, una vulnerabilidad diferente a CVE-2016-4068."
}
],
"id": "CVE-2015-8864",
"lastModified": "2026-05-13T00:24:29.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-13T14:59:01.197",
"references": [
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"source": "security@debian.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18"
},
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"source": "security@debian.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"source": "security@debian.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
},
{
"source": "security@debian.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-8794
Vulnerability from fkie_nvd - Published: 2016-01-29 19:59 - Updated: 2026-05-06 22:30
Severity
Summary
Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| roundcube | roundcube_webmail | * | |
| roundcube | roundcube_webmail | 1.1.0 | |
| roundcube | roundcube_webmail | 1.1.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8DD8E608-8097-4332-B75D-75FACA46A6DD",
"versionEndIncluding": "1.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E9EB6E2E-9715-4480-A54F-91A23C6EE209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DDB20CBA-5A6E-4AAA-8ACF-91FF96488F4E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de ruta absoluta en program/steps/addressbook/photo.inc en Roundcube en versiones anteriores a 1.0.6 y 1.1.x en versiones anteriores a 1.1.2 permite a usuarios remotos autenticados leer archivos arbitrarios a trav\u00e9s de un nombre de ruta completa en el par\u00e1metro _alt, relacionado con la manipulaci\u00f3n de la foto de contacto."
}
],
"id": "CVE-2015-8794",
"lastModified": "2026-05-06T22:30:45.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-29T19:59:06.140",
"references": [
{
"source": "cve@mitre.org",
"url": "http://trac.roundcube.net/changeset/6ccd4c54b/github"
},
{
"source": "cve@mitre.org",
"url": "http://trac.roundcube.net/changeset/e84fafcec/github"
},
{
"source": "cve@mitre.org",
"url": "http://trac.roundcube.net/ticket/1490379"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.roundcube.net/changeset/6ccd4c54b/github"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.roundcube.net/changeset/e84fafcec/github"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.roundcube.net/ticket/1490379"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-8770
Vulnerability from fkie_nvd - Published: 2016-01-29 19:59 - Updated: 2026-05-06 22:30
Severity
Summary
Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| roundcube | roundcube_webmail | * | |
| roundcube | roundcube_webmail | 1.1.0 | |
| roundcube | roundcube_webmail | 1.1.1 | |
| roundcube | roundcube_webmail | 1.1.2 | |
| roundcube | roundcube_webmail | 1.1.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AEE5687C-56F7-48CD-847D-55EBEDD4A286",
"versionEndIncluding": "1.0.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E9EB6E2E-9715-4480-A54F-91A23C6EE209",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DDB20CBA-5A6E-4AAA-8ACF-91FF96488F4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "879B0231-CCBE-46C6-A270-FAE9153083E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:roundcube_webmail:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9F775761-4DC1-4A73-A809-0B0F267FA572",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en la funci\u00f3n set_skin en program/include/rcmail_output_html.php en Roundcube en versiones anteriores a 1.0.8 y 1.1.x en versiones anteriores a 1.1.4 permite a usuarios remotos autenticados con ciertos permisos leer archivos arbitrarios o posiblemente ejecutar c\u00f3digo arbitrario a trav\u00e9s de un .. (punto punto) en el par\u00e1metro _skin en index.php."
}
],
"id": "CVE-2015-8770",
"lastModified": "2026-05-06T22:30:45.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-29T19:59:00.107",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00028.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00029.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00030.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/135274/Roundcube-1.1.3-Path-Traversal.html"
},
{
"source": "cve@mitre.org",
"url": "http://trac.roundcube.net/changeset/10e5192a2b/github"
},
{
"source": "cve@mitre.org",
"url": "http://trac.roundcube.net/ticket/1490620"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2016/dsa-3541"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/537304/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/"
},
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/201603-03"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/39245/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23283"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00028.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00029.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00030.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/135274/Roundcube-1.1.3-Path-Traversal.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.roundcube.net/changeset/10e5192a2b/github"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://trac.roundcube.net/ticket/1490620"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2016/dsa-3541"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/537304/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201603-03"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/39245/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23283"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2015-5382 (GCVE-0-2015-5382)
Vulnerability from cvelistv5 – Published: 2017-05-23 03:56 – Updated: 2024-08-06 06:50
VLAI
Summary
program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
6 references
| URL | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2015/07/07/2 | mailing-listx_refsource_MLIST |
| https://github.com/roundcube/roundcubemail/commit… | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/commit… | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/issues/4817 | x_refsource_CONFIRM |
| https://roundcube.net/news/2015/06/05/updates-1.1… | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2015/07/07/3 | mailing-listx_refsource_MLIST |
Date Public
2015-06-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:50:00.830Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/e84fafcec22e7b460db03248dc23ed6b053b15c9"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/6ccd4c54bcc4cb77365defabe8bbe7d10b2620d4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4817"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"name": "[oss-security] 20150707 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-23T01:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/commit/e84fafcec22e7b460db03248dc23ed6b053b15c9"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/commit/6ccd4c54bcc4cb77365defabe8bbe7d10b2620d4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4817"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"name": "[oss-security] 20150707 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5382",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/e84fafcec22e7b460db03248dc23ed6b053b15c9",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/commit/e84fafcec22e7b460db03248dc23ed6b053b15c9"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/6ccd4c54bcc4cb77365defabe8bbe7d10b2620d4",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/commit/6ccd4c54bcc4cb77365defabe8bbe7d10b2620d4"
},
{
"name": "https://github.com/roundcube/roundcubemail/issues/4817",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/issues/4817"
},
{
"name": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released",
"refsource": "CONFIRM",
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"name": "[oss-security] 20150707 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5382",
"datePublished": "2017-05-23T03:56:00.000Z",
"dateReserved": "2015-07-06T00:00:00.000Z",
"dateUpdated": "2024-08-06T06:50:00.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5383 (GCVE-0-2015-5383)
Vulnerability from cvelistv5 – Published: 2017-05-23 03:56 – Updated: 2024-08-06 06:50
VLAI
Summary
Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2015/07/07/2 | mailing-listx_refsource_MLIST |
| https://github.com/roundcube/roundcubemail/commit… | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/issues/4816 | x_refsource_CONFIRM |
| https://roundcube.net/news/2015/06/05/updates-1.1… | x_refsource_CONFIRM |
Date Public
2015-06-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:50:00.802Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/012555c1cef35601b543cde67bff8726de97eb39"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4816"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-23T01:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/commit/012555c1cef35601b543cde67bff8726de97eb39"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4816"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5383",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/012555c1cef35601b543cde67bff8726de97eb39",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/commit/012555c1cef35601b543cde67bff8726de97eb39"
},
{
"name": "https://github.com/roundcube/roundcubemail/issues/4816",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/issues/4816"
},
{
"name": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released",
"refsource": "CONFIRM",
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5383",
"datePublished": "2017-05-23T03:56:00.000Z",
"dateReserved": "2015-07-06T00:00:00.000Z",
"dateUpdated": "2024-08-06T06:50:00.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5381 (GCVE-0-2015-5381)
Vulnerability from cvelistv5 – Published: 2017-05-23 03:56 – Updated: 2024-08-06 06:50
VLAI
Summary
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
5 references
| URL | Tags |
|---|---|
| http://www.openwall.com/lists/oss-security/2015/07/07/2 | mailing-listx_refsource_MLIST |
| http://trac.roundcube.net/ticket/1490417 | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/issues/4837 | x_refsource_CONFIRM |
| https://roundcube.net/news/2015/06/05/updates-1.1… | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/commit… | x_refsource_CONFIRM |
Date Public
2015-06-05 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:50:00.833Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.roundcube.net/ticket/1490417"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4837"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/b782815dacda55eee6793249b5da1789256206fc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-05T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-05-23T01:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.roundcube.net/ticket/1490417"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4837"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/commit/b782815dacda55eee6793249b5da1789256206fc"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5381",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20150706 Re: CVE request for vulnerabilities fixed in roundcubemail 1.1.2 and 1.0.6",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/07/07/2"
},
{
"name": "http://trac.roundcube.net/ticket/1490417",
"refsource": "CONFIRM",
"url": "http://trac.roundcube.net/ticket/1490417"
},
{
"name": "https://github.com/roundcube/roundcubemail/issues/4837",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/issues/4837"
},
{
"name": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released",
"refsource": "CONFIRM",
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/b782815dacda55eee6793249b5da1789256206fc",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/commit/b782815dacda55eee6793249b5da1789256206fc"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5381",
"datePublished": "2017-05-23T03:56:00.000Z",
"dateReserved": "2015-07-06T00:00:00.000Z",
"dateUpdated": "2024-08-06T06:50:00.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-4068 (GCVE-0-2016-4068)
Vulnerability from cvelistv5 – Published: 2017-04-13 14:00 – Updated: 2024-08-06 00:17
VLAI
Summary
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
| URL | Tags |
|---|---|
| http://lists.opensuse.org/opensuse-updates/2016-0… | vendor-advisoryx_refsource_SUSE |
| https://github.com/roundcube/roundcubemail/wiki/C… | x_refsource_CONFIRM |
| http://lists.opensuse.org/opensuse-updates/2016-0… | vendor-advisoryx_refsource_SUSE |
| https://github.com/roundcube/roundcubemail/releas… | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/commit… | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/issues/4949 | x_refsource_CONFIRM |
| http://lists.opensuse.org/opensuse-updates/2016-0… | vendor-advisoryx_refsource_SUSE |
| https://github.com/roundcube/roundcubemail/releas… | x_refsource_CONFIRM |
Date Public
2016-01-06 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T00:17:30.877Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2016:2108",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
},
{
"name": "openSUSE-SU-2016:2109",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"name": "openSUSE-SU-2016:2127",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-13T12:57:01.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "openSUSE-SU-2016:2108",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
},
{
"name": "openSUSE-SU-2016:2109",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"name": "openSUSE-SU-2016:2127",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2016-4068",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2016:2108",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"name": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
},
{
"name": "openSUSE-SU-2016:2109",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218"
},
{
"name": "https://github.com/roundcube/roundcubemail/issues/4949",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"name": "openSUSE-SU-2016:2127",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2016-4068",
"datePublished": "2017-04-13T14:00:00.000Z",
"dateReserved": "2016-04-23T00:00:00.000Z",
"dateUpdated": "2024-08-06T00:17:30.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8864 (GCVE-0-2015-8864)
Vulnerability from cvelistv5 – Published: 2017-04-13 14:00 – Updated: 2024-08-06 08:29
VLAI
Summary
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/roundcube/roundcubemail/commit… | x_refsource_CONFIRM |
| http://lists.opensuse.org/opensuse-updates/2016-0… | vendor-advisoryx_refsource_SUSE |
| https://github.com/roundcube/roundcubemail/wiki/C… | x_refsource_CONFIRM |
| http://lists.opensuse.org/opensuse-updates/2016-0… | vendor-advisoryx_refsource_SUSE |
| https://github.com/roundcube/roundcubemail/releas… | x_refsource_CONFIRM |
| https://github.com/roundcube/roundcubemail/issues/4949 | x_refsource_CONFIRM |
| http://lists.opensuse.org/opensuse-updates/2016-0… | vendor-advisoryx_refsource_SUSE |
| https://github.com/roundcube/roundcubemail/releas… | x_refsource_CONFIRM |
Date Public
2015-12-29 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:29:22.023Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18"
},
{
"name": "openSUSE-SU-2016:2108",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
},
{
"name": "openSUSE-SU-2016:2109",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"name": "openSUSE-SU-2016:2127",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-12-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-13T12:57:01.000Z",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18"
},
{
"name": "openSUSE-SU-2016:2108",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
},
{
"name": "openSUSE-SU-2016:2109",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"name": "openSUSE-SU-2016:2127",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2015-8864",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18"
},
{
"name": "openSUSE-SU-2016:2108",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html"
},
{
"name": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115"
},
{
"name": "openSUSE-SU-2016:2109",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.0.9"
},
{
"name": "https://github.com/roundcube/roundcubemail/issues/4949",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/issues/4949"
},
{
"name": "openSUSE-SU-2016:2127",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.5"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2015-8864",
"datePublished": "2017-04-13T14:00:00.000Z",
"dateReserved": "2016-04-23T00:00:00.000Z",
"dateUpdated": "2024-08-06T08:29:22.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8794 (GCVE-0-2015-8794)
Vulnerability from cvelistv5 – Published: 2016-01-29 19:00 – Updated: 2024-09-16 22:20
VLAI
Summary
Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://roundcube.net/news/2015/06/05/updates-1.1… | x_refsource_CONFIRM |
| http://trac.roundcube.net/ticket/1490379 | x_refsource_CONFIRM |
| http://trac.roundcube.net/changeset/e84fafcec/github | x_refsource_CONFIRM |
| http://trac.roundcube.net/changeset/6ccd4c54b/github | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:29:21.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.roundcube.net/ticket/1490379"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.roundcube.net/changeset/e84fafcec/github"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.roundcube.net/changeset/6ccd4c54b/github"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-01-29T19:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.roundcube.net/ticket/1490379"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.roundcube.net/changeset/e84fafcec/github"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.roundcube.net/changeset/6ccd4c54b/github"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8794",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/",
"refsource": "CONFIRM",
"url": "https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/"
},
{
"name": "http://trac.roundcube.net/ticket/1490379",
"refsource": "CONFIRM",
"url": "http://trac.roundcube.net/ticket/1490379"
},
{
"name": "http://trac.roundcube.net/changeset/e84fafcec/github",
"refsource": "CONFIRM",
"url": "http://trac.roundcube.net/changeset/e84fafcec/github"
},
{
"name": "http://trac.roundcube.net/changeset/6ccd4c54b/github",
"refsource": "CONFIRM",
"url": "http://trac.roundcube.net/changeset/6ccd4c54b/github"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8794",
"datePublished": "2016-01-29T19:00:00.000Z",
"dateReserved": "2016-01-29T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:20:24.123Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8770 (GCVE-0-2015-8770)
Vulnerability from cvelistv5 – Published: 2016-01-29 19:00 – Updated: 2024-08-06 08:29
VLAI
Summary
Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
12 references
| URL | Tags |
|---|---|
| https://security.gentoo.org/glsa/201603-03 | vendor-advisoryx_refsource_GENTOO |
| http://www.debian.org/security/2016/dsa-3541 | vendor-advisoryx_refsource_DEBIAN |
| http://trac.roundcube.net/changeset/10e5192a2b/github | x_refsource_CONFIRM |
| http://www.securityfocus.com/archive/1/537304/100… | mailing-listx_refsource_BUGTRAQ |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| https://roundcube.net/news/2015/12/26/updates-1.1… | x_refsource_CONFIRM |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
| http://trac.roundcube.net/ticket/1490620 | x_refsource_CONFIRM |
| http://packetstormsecurity.com/files/135274/Round… | x_refsource_MISC |
| https://www.exploit-db.com/exploits/39245/ | exploitx_refsource_EXPLOIT-DB |
| https://www.htbridge.com/advisory/HTB23283 | x_refsource_MISC |
| http://lists.opensuse.org/opensuse-security-annou… | vendor-advisoryx_refsource_SUSE |
Date Public
2015-12-21 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:29:21.994Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GLSA-201603-03",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201603-03"
},
{
"name": "DSA-3541",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3541"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.roundcube.net/changeset/10e5192a2b/github"
},
{
"name": "20160113 Remote Code Execution in Roundcube",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/537304/100/0/threaded"
},
{
"name": "openSUSE-SU-2016:0214",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00030.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/"
},
{
"name": "openSUSE-SU-2016:0210",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00028.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://trac.roundcube.net/ticket/1490620"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/135274/Roundcube-1.1.3-Path-Traversal.html"
},
{
"name": "39245",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/39245/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23283"
},
{
"name": "openSUSE-SU-2016:0213",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00029.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-12-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "GLSA-201603-03",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201603-03"
},
{
"name": "DSA-3541",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3541"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.roundcube.net/changeset/10e5192a2b/github"
},
{
"name": "20160113 Remote Code Execution in Roundcube",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/537304/100/0/threaded"
},
{
"name": "openSUSE-SU-2016:0214",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00030.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/"
},
{
"name": "openSUSE-SU-2016:0210",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00028.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://trac.roundcube.net/ticket/1490620"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/135274/Roundcube-1.1.3-Path-Traversal.html"
},
{
"name": "39245",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/39245/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23283"
},
{
"name": "openSUSE-SU-2016:0213",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00029.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8770",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "GLSA-201603-03",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201603-03"
},
{
"name": "DSA-3541",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3541"
},
{
"name": "http://trac.roundcube.net/changeset/10e5192a2b/github",
"refsource": "CONFIRM",
"url": "http://trac.roundcube.net/changeset/10e5192a2b/github"
},
{
"name": "20160113 Remote Code Execution in Roundcube",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/537304/100/0/threaded"
},
{
"name": "openSUSE-SU-2016:0214",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00030.html"
},
{
"name": "https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/",
"refsource": "CONFIRM",
"url": "https://roundcube.net/news/2015/12/26/updates-1.1.4-and-1.0.8-released/"
},
{
"name": "openSUSE-SU-2016:0210",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00028.html"
},
{
"name": "http://trac.roundcube.net/ticket/1490620",
"refsource": "CONFIRM",
"url": "http://trac.roundcube.net/ticket/1490620"
},
{
"name": "http://packetstormsecurity.com/files/135274/Roundcube-1.1.3-Path-Traversal.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/135274/Roundcube-1.1.3-Path-Traversal.html"
},
{
"name": "39245",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/39245/"
},
{
"name": "https://www.htbridge.com/advisory/HTB23283",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23283"
},
{
"name": "openSUSE-SU-2016:0213",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00029.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8770",
"datePublished": "2016-01-29T19:00:00.000Z",
"dateReserved": "2016-01-13T00:00:00.000Z",
"dateUpdated": "2024-08-06T08:29:21.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}