Search criteria
76 vulnerabilities by Roundcube
CVE-2026-26079 (GCVE-0-2026-26079)
Vulnerability from cvelistv5 – Published: 2026-02-11 04:27 – Updated: 2026-02-11 16:06
VLAI?
Summary
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
Severity ?
4.7 (Medium)
CWE
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-11T16:05:48.013957Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T16:06:28.336Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Webmail",
"vendor": "Roundcube",
"versions": [
{
"lessThan": "1.5.13",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.6.13",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.6.13",
"versionStartIncluding": "1.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T04:44:01.342Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://roundcube.net/news/2026/02/08/security-updates-1.6.13-and-1.5.13"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.13"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/1f4c3a5af5033747f9685a8a395dbd8228d19816"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/2b5625f1d2ef7e050fd1ae481b2a52dc35466447"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/53d75d5dfebef235a344d476b900c20c12d52b01"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.13"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/bf89cbaa5897d8ad62e8057d9a3f6babb90b7954"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/5a3315cce587e0be58335d11ff9a5571c90494a5"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/c15f5dbf093a497e19a749b20e7f8fb5a9c24cde"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-26079",
"datePublished": "2026-02-11T04:27:24.156Z",
"dateReserved": "2026-02-11T04:27:24.001Z",
"dateUpdated": "2026-02-11T16:06:28.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25916 (GCVE-0-2026-25916)
Vulnerability from cvelistv5 – Published: 2026-02-09 08:14 – Updated: 2026-02-09 15:05
VLAI?
Summary
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when "Block remote images" is used, does not block SVG feImage.
Severity ?
4.3 (Medium)
CWE
- CWE-420 - Unprotected Alternate Channel
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25916",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-09T14:54:49.903109Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T15:05:40.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Webmail",
"vendor": "Roundcube",
"versions": [
{
"lessThan": "1.5.13",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.6.13",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.6.13",
"versionStartIncluding": "1.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13, when \"Block remote images\" is used, does not block SVG feImage."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-420",
"description": "CWE-420 Unprotected Alternate Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-09T08:19:52.048Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://nullcathedral.com/posts/2026-02-08-roundcube-svg-feimage-remote-image-bypass/"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/26d7677"
},
{
"url": "https://news.ycombinator.com/item?id=46937012"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-25916",
"datePublished": "2026-02-09T08:14:10.177Z",
"dateReserved": "2026-02-09T08:14:10.021Z",
"dateUpdated": "2026-02-09T15:05:40.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68461 (GCVE-0-2025-68461)
Vulnerability from cvelistv5 – Published: 2025-12-18 05:00 – Updated: 2025-12-18 18:53
VLAI?
Summary
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T18:26:21.207533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T18:53:48.726Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Webmail",
"vendor": "Roundcube",
"versions": [
{
"lessThan": "1.5.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.6.12",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.6.12",
"versionStartIncluding": "1.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T05:22:19.998Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/bfa032631c36b900e7444dfa278340b33cbf7cdb"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-68461",
"datePublished": "2025-12-18T05:00:54.423Z",
"dateReserved": "2025-12-18T05:00:54.176Z",
"dateUpdated": "2025-12-18T18:53:48.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68460 (GCVE-0-2025-68460)
Vulnerability from cvelistv5 – Published: 2025-12-18 04:54 – Updated: 2025-12-18 18:53
VLAI?
Summary
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer.
Severity ?
7.2 (High)
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68460",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T18:27:49.263470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T18:53:53.491Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Webmail",
"vendor": "Roundcube",
"versions": [
{
"lessThan": "1.5.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.6.12",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.5.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.6.12",
"versionStartIncluding": "1.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T05:21:51.927Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/08de250fba731b634bed188bbe18d2f6ef3c7571"
}
],
"x_generator": {
"engine": "CVE-Request-form 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-68460",
"datePublished": "2025-12-18T04:54:13.338Z",
"dateReserved": "2025-12-18T04:54:13.074Z",
"dateUpdated": "2025-12-18T18:53:53.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49113 (GCVE-0-2025-49113)
Vulnerability from cvelistv5 – Published: 2025-06-02 00:00 – Updated: 2025-06-12 16:09
VLAI?
Summary
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Severity ?
9.9 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49113",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-11T04:01:26.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-06-09T03:27:58.478Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/06/02/3"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Webmail",
"vendor": "Roundcube",
"versions": [
{
"lessThan": "1.5.10",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.6.11",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.6.11",
"versionStartIncluding": "1.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T16:09:32.854Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10"
},
{
"url": "https://github.com/roundcube/roundcubemail/pull/9865"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.11"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.10"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e"
},
{
"url": "https://fearsoff.org/research/roundcube"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-49113",
"datePublished": "2025-06-02T00:00:00.000Z",
"dateReserved": "2025-06-02T00:00:00.000Z",
"dateUpdated": "2025-06-12T16:09:32.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-57004 (GCVE-0-2024-57004)
Vulnerability from cvelistv5 – Published: 2025-02-03 00:00 – Updated: 2025-02-12 19:18
VLAI?
Summary
Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-57004",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T19:21:15.401940Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:18:08.984Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T18:45:36.216Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.9"
},
{
"url": "https://github.com/riya98241/CVE/blob/main/CVE-2024-57004"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-57004",
"datePublished": "2025-02-03T00:00:00.000Z",
"dateReserved": "2025-01-09T00:00:00.000Z",
"dateUpdated": "2025-02-12T19:18:08.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42008 (GCVE-0-2024-42008)
Vulnerability from cvelistv5 – Published: 2024-08-05 00:00 – Updated: 2025-03-13 15:35
VLAI?
Summary
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
Severity ?
9.3 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42008",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T19:56:10.571065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T15:35:39.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Scripting vulnerability in rcmail_action_mail_get-\u003erun() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T19:06:20.558Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/roundcube/roundcubemail/releases"
},
{
"url": "https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.8"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.8"
},
{
"url": "https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-42008",
"datePublished": "2024-08-05T00:00:00.000Z",
"dateReserved": "2024-07-26T00:00:00.000Z",
"dateUpdated": "2025-03-13T15:35:39.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-42009 (GCVE-0-2024-42009)
Vulnerability from cvelistv5 – Published: 2024-08-05 00:00 – Updated: 2025-10-21 22:55
VLAI?
Summary
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Severity ?
9.3 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-42009",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T03:56:09.393444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-06-09",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-42009"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:55:48.964Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-42009"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-06-09T00:00:00+00:00",
"value": "CVE-2024-42009 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-05T19:07:08.180Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/roundcube/roundcubemail/releases"
},
{
"url": "https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.8"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.8"
},
{
"url": "https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-42009",
"datePublished": "2024-08-05T00:00:00.000Z",
"dateReserved": "2024-07-26T00:00:00.000Z",
"dateUpdated": "2025-10-21T22:55:48.964Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37385 (GCVE-0-2024-37385)
Vulnerability from cvelistv5 – Published: 2024-06-07 03:24 – Updated: 2025-02-13 15:59
VLAI?
Summary
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:roundcube:roundcube_webmail:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "roundcube_webmail",
"vendor": "roundcube",
"versions": [
{
"lessThan": "1.5.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:roundcube:roundcube_webmail:1.6.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "roundcube_webmail",
"vendor": "roundcube",
"versions": [
{
"lessThan": "1.6.7",
"status": "affected",
"version": "1.6.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-37385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-15T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-16T04:01:39.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.7"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.7"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/5ea9f37ce39374b6124586c0590fec7015d35d7f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-07T03:24:23.890Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.7"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.7"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/5ea9f37ce39374b6124586c0590fec7015d35d7f"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-37385",
"datePublished": "2024-06-07T03:24:23.567Z",
"dateReserved": "2024-06-07T00:00:00.000Z",
"dateUpdated": "2025-02-13T15:59:49.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37383 (GCVE-0-2024-37383)
Vulnerability from cvelistv5 – Published: 2024-06-07 00:00 – Updated: 2025-10-21 23:05
VLAI?
Summary
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "webmail",
"vendor": "roundcube",
"versions": [
{
"lessThan": "1.5.7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.6.7",
"status": "affected",
"version": "1.6.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "webmail",
"vendor": "roundcube",
"versions": [
{
"lessThan": "1.5.7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.6.7",
"status": "affected",
"version": "1.6.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-37383",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-25T18:32:17.897490Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-10-24",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-37383"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:05:16.615Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-37383"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-24T00:00:00+00:00",
"value": "CVE-2024-37383 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:56.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.7"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.7"
},
{
"name": "[debian-lts-announce] 20240617 [SECURITY] [DLA 3835-1] roundcube security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T15:06:03.393Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.7"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.7"
},
{
"name": "[debian-lts-announce] 20240617 [SECURITY] [DLA 3835-1] roundcube security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00008.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-37383",
"datePublished": "2024-06-07T00:00:00.000Z",
"dateReserved": "2024-06-07T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:05:16.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37384 (GCVE-0-2024-37384)
Vulnerability from cvelistv5 – Published: 2024-06-07 00:00 – Updated: 2024-11-04 16:24
VLAI?
Summary
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:roundcube:roundcube_webmail:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "roundcube_webmail",
"vendor": "roundcube",
"versions": [
{
"lessThan": "1.5.7",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "1.6.7",
"status": "affected",
"version": "1.6.x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-37384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-17T17:48:19.770411Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T16:24:03.779Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:56.175Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.7"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.7"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/cde4522c5c95f13c6aeeb1600ab17e5067a536f7"
},
{
"name": "[debian-lts-announce] 20240617 [SECURITY] [DLA 3835-1] roundcube security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00008.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-17T15:06:04.942031",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.7"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.7"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/cde4522c5c95f13c6aeeb1600ab17e5067a536f7"
},
{
"name": "[debian-lts-announce] 20240617 [SECURITY] [DLA 3835-1] roundcube security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00008.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-37384",
"datePublished": "2024-06-07T00:00:00",
"dateReserved": "2024-06-07T00:00:00",
"dateUpdated": "2024-11-04T16:24:03.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-47272 (GCVE-0-2023-47272)
Vulnerability from cvelistv5 – Published: 2023-11-05 00:00 – Updated: 2024-08-02 21:09
VLAI?
Summary
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:09:37.368Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.6"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.5"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/5ec496885e18ec6af956e8c0d627856c2257ba2d"
},
{
"name": "FEDORA-2023-70578c5599",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z4F4DUA3Q46ZVB2RD7BFP4XMNS4RYFFQ/"
},
{
"name": "FEDORA-2023-0fd9865145",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFRGBPET73URF6364CI547ZVWQESJLGK/"
},
{
"name": "FEDORA-2023-cf584ed77a",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GILSR762MJB3BNJOVOCMW2JXEPV46IIQ/"
},
{
"name": "DSA-5572",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5572"
},
{
"name": "[debian-lts-announce] 20231204 [SECURITY] [DLA 3683-1] roundcube security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00005.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:L/I:L/PR:N/S:C/UI:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-05T01:06:29.421786",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.6"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.5"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/5ec496885e18ec6af956e8c0d627856c2257ba2d"
},
{
"name": "FEDORA-2023-70578c5599",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z4F4DUA3Q46ZVB2RD7BFP4XMNS4RYFFQ/"
},
{
"name": "FEDORA-2023-0fd9865145",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFRGBPET73URF6364CI547ZVWQESJLGK/"
},
{
"name": "FEDORA-2023-cf584ed77a",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GILSR762MJB3BNJOVOCMW2JXEPV46IIQ/"
},
{
"name": "DSA-5572",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5572"
},
{
"name": "[debian-lts-announce] 20231204 [SECURITY] [DLA 3683-1] roundcube security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/12/msg00005.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-47272",
"datePublished": "2023-11-05T00:00:00",
"dateReserved": "2023-11-05T00:00:00",
"dateUpdated": "2024-08-02T21:09:37.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5631 (GCVE-0-2023-5631)
Vulnerability from cvelistv5 – Published: 2023-10-18 14:51 – Updated: 2025-10-21 23:05
VLAI?
Title
Stored XSS vulnerability in Roundcube
Summary
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker
to load arbitrary JavaScript code.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Roundcube | Roundcubemail |
Affected:
1.6.0 , < 1.6.3
(semver)
Affected: 1.5.0 , < 1.5.4 (semver) Affected: 1.4.0 , < 1.5.14 (semver) Unaffected: 1.6.4 Unaffected: 1.5.5 Unaffected: 1.5.15 |
Credits
Matthieu Faou
Denys Klymenko
Aleksander Machniak
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:07:32.513Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75552e5376613"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.4"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.5"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.15"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/9168"
},
{
"tags": [
"x_transferred"
],
"url": "https://roundcube.net/news/2023/10/16/security-update-1.6.4-released"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d"
},
{
"tags": [
"x_transferred"
],
"url": "https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5531"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00035.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/01/1"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/01/3"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LK67Q46OIEGJCRQUBHKLH3IIJTBNGGX4/"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/11/17/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5631",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2023-11-15T16:39:21.592115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-10-26",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-5631"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:05:34.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-5631"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-10-26T00:00:00+00:00",
"value": "CVE-2023-5631 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Roundcubemail",
"repo": "https://github.com/roundcube/roundcubemail",
"vendor": "Roundcube",
"versions": [
{
"lessThan": "1.6.3",
"status": "affected",
"version": "1.6.0",
"versionType": "semver"
},
{
"lessThan": "1.5.4",
"status": "affected",
"version": "1.5.0",
"versionType": "semver"
},
{
"lessThan": "1.5.14",
"status": "affected",
"version": "1.4.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "1.6.4"
},
{
"status": "unaffected",
"version": "1.5.5"
},
{
"status": "unaffected",
"version": "1.5.15"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Matthieu Faou"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Denys Klymenko"
},
{
"lang": "en",
"type": "remediation developer",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Aleksander Machniak"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003eRoundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker\n\nto load arbitrary JavaScript code.\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
}
],
"value": "Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker\n\nto load arbitrary JavaScript code."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Actively used in the wild.\n\n\u003cbr\u003e"
}
],
"value": "Actively used in the wild."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-17T15:06:13.428Z",
"orgId": "4a9b9929-2450-4021-b7b9-469a0255b215",
"shortName": "ESET"
},
"references": [
{
"url": "https://github.com/roundcube/roundcubemail/commit/6ee6e7ae301e165e2b2cb703edf75552e5376613"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.6.4"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.5.5"
},
{
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.15"
},
{
"url": "https://github.com/roundcube/roundcubemail/issues/9168"
},
{
"url": "https://roundcube.net/news/2023/10/16/security-update-1.6.4-released"
},
{
"url": "https://github.com/roundcube/roundcubemail/commit/41756cc3331b495cc0b71886984474dc529dd31d"
},
{
"url": "https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15"
},
{
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054079"
},
{
"url": "https://www.debian.org/security/2023/dsa-5531"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00035.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/11/01/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/11/01/3"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LK67Q46OIEGJCRQUBHKLH3IIJTBNGGX4/"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/11/17/2"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored XSS vulnerability in Roundcube",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4a9b9929-2450-4021-b7b9-469a0255b215",
"assignerShortName": "ESET",
"cveId": "CVE-2023-5631",
"datePublished": "2023-10-18T14:51:18.443Z",
"dateReserved": "2023-10-18T06:50:57.504Z",
"dateUpdated": "2025-10-21T23:05:34.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43770 (GCVE-0-2023-43770)
Vulnerability from cvelistv5 – Published: 2023-09-22 00:00 – Updated: 2025-10-21 23:05
VLAI?
Summary
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "webmail",
"vendor": "roundcube",
"versions": [
{
"lessThan": "1.4.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:roundcube:webmail:1.5.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "webmail",
"vendor": "roundcube",
"versions": [
{
"lessThan": "1.5.4",
"status": "affected",
"version": "1.5.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:roundcube:webmail:1.6.0:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "webmail",
"vendor": "roundcube",
"versions": [
{
"lessThan": "1.6.3",
"status": "affected",
"version": "1.6.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:o:debian:debian_linux:10:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "debian_linux",
"vendor": "debian",
"versions": [
{
"status": "affected",
"version": "10"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"dateAdded": "2024-02-12",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-43770"
},
"type": "kev"
}
},
{
"other": {
"content": {
"id": "CVE-2023-43770",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T18:43:07.516175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:05:36.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-43770"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-12T00:00:00+00:00",
"value": "CVE-2023-43770 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:11.104Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/e92ec206a886461245e1672d8530cc93c618a49b"
},
{
"tags": [
"x_transferred"
],
"url": "https://roundcube.net/news/2023/09/15/security-update-1.6.3-released"
},
{
"name": "[debian-lts-announce] 20230922 [SECURITY] [DLA 3577-1] roundcube security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00024.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-22T13:06:08.676Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/roundcube/roundcubemail/commit/e92ec206a886461245e1672d8530cc93c618a49b"
},
{
"url": "https://roundcube.net/news/2023/09/15/security-update-1.6.3-released"
},
{
"name": "[debian-lts-announce] 20230922 [SECURITY] [DLA 3577-1] roundcube security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00024.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-43770",
"datePublished": "2023-09-22T00:00:00.000Z",
"dateReserved": "2023-09-22T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:05:36.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-46144 (GCVE-0-2021-46144)
Vulnerability from cvelistv5 – Published: 2022-01-06 04:08 – Updated: 2024-08-04 05:02
VLAI?
Summary
Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T05:02:10.965Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/8894fddd59b770399eed4ef8d4da5773913b5bf0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://roundcube.net/news/2021/12/30/update-1.5.2-released"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://roundcube.net/news/2021/12/30/security-update-1.4.13-released"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/1003027"
},
{
"name": "DSA-5037",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5037"
},
{
"name": "[debian-lts-announce] 20220112 [SECURITY] [DLA 2878-1] roundcube security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00005.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-12T17:06:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/commit/8894fddd59b770399eed4ef8d4da5773913b5bf0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://roundcube.net/news/2021/12/30/update-1.5.2-released"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://roundcube.net/news/2021/12/30/security-update-1.4.13-released"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/1003027"
},
{
"name": "DSA-5037",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2022/dsa-5037"
},
{
"name": "[debian-lts-announce] 20220112 [SECURITY] [DLA 2878-1] roundcube security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00005.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-46144",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roundcube/roundcubemail/commit/8894fddd59b770399eed4ef8d4da5773913b5bf0",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/commit/8894fddd59b770399eed4ef8d4da5773913b5bf0"
},
{
"name": "https://roundcube.net/news/2021/12/30/update-1.5.2-released",
"refsource": "MISC",
"url": "https://roundcube.net/news/2021/12/30/update-1.5.2-released"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8"
},
{
"name": "https://roundcube.net/news/2021/12/30/security-update-1.4.13-released",
"refsource": "MISC",
"url": "https://roundcube.net/news/2021/12/30/security-update-1.4.13-released"
},
{
"name": "https://bugs.debian.org/1003027",
"refsource": "MISC",
"url": "https://bugs.debian.org/1003027"
},
{
"name": "DSA-5037",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5037"
},
{
"name": "[debian-lts-announce] 20220112 [SECURITY] [DLA 2878-1] roundcube security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/01/msg00005.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-46144",
"datePublished": "2022-01-06T04:08:32",
"dateReserved": "2022-01-06T00:00:00",
"dateUpdated": "2024-08-04T05:02:10.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44025 (GCVE-0-2021-44025)
Vulnerability from cvelistv5 – Published: 2021-11-19 03:47 – Updated: 2024-08-04 04:10
VLAI?
Summary
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:17.205Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/1000156"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/8193"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7"
},
{
"name": "FEDORA-2021-167865df98",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TP3Y5RXTUUOUODNG7HFEKWYNIPIT2NL4/"
},
{
"name": "FEDORA-2021-43d3c10590",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NDVGIZMQJ5IOM47Y3SAAJRN5VPANKTKO/"
},
{
"name": "DSA-5013",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-5013"
},
{
"name": "[debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00004.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment\u0027s filename extension when displaying a MIME type warning message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-06T21:06:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/1000156"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/issues/8193"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7"
},
{
"name": "FEDORA-2021-167865df98",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TP3Y5RXTUUOUODNG7HFEKWYNIPIT2NL4/"
},
{
"name": "FEDORA-2021-43d3c10590",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NDVGIZMQJ5IOM47Y3SAAJRN5VPANKTKO/"
},
{
"name": "DSA-5013",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-5013"
},
{
"name": "[debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00004.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-44025",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment\u0027s filename extension when displaying a MIME type warning message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.debian.org/1000156",
"refsource": "MISC",
"url": "https://bugs.debian.org/1000156"
},
{
"name": "https://github.com/roundcube/roundcubemail/issues/8193",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/issues/8193"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7"
},
{
"name": "FEDORA-2021-167865df98",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TP3Y5RXTUUOUODNG7HFEKWYNIPIT2NL4/"
},
{
"name": "FEDORA-2021-43d3c10590",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDVGIZMQJ5IOM47Y3SAAJRN5VPANKTKO/"
},
{
"name": "DSA-5013",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-5013"
},
{
"name": "[debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00004.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-44025",
"datePublished": "2021-11-19T03:47:48",
"dateReserved": "2021-11-19T00:00:00",
"dateUpdated": "2024-08-04T04:10:17.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-44026 (GCVE-0-2021-44026)
Vulnerability from cvelistv5 – Published: 2021-11-19 03:47 – Updated: 2025-10-21 23:25
VLAI?
Summary
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T04:10:17.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/1000156"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa"
},
{
"name": "FEDORA-2021-167865df98",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TP3Y5RXTUUOUODNG7HFEKWYNIPIT2NL4/"
},
{
"name": "FEDORA-2021-43d3c10590",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NDVGIZMQJ5IOM47Y3SAAJRN5VPANKTKO/"
},
{
"name": "DSA-5013",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-5013"
},
{
"name": "[debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00004.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-44026",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T19:33:07.855191Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-06-22",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44026"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:25:24.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44026"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-06-22T00:00:00+00:00",
"value": "CVE-2021-44026 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-12-06T21:06:05.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/1000156"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa"
},
{
"name": "FEDORA-2021-167865df98",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TP3Y5RXTUUOUODNG7HFEKWYNIPIT2NL4/"
},
{
"name": "FEDORA-2021-43d3c10590",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NDVGIZMQJ5IOM47Y3SAAJRN5VPANKTKO/"
},
{
"name": "DSA-5013",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-5013"
},
{
"name": "[debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00004.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-44026",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.debian.org/1000156",
"refsource": "MISC",
"url": "https://bugs.debian.org/1000156"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa"
},
{
"name": "FEDORA-2021-167865df98",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TP3Y5RXTUUOUODNG7HFEKWYNIPIT2NL4/"
},
{
"name": "FEDORA-2021-43d3c10590",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDVGIZMQJ5IOM47Y3SAAJRN5VPANKTKO/"
},
{
"name": "DSA-5013",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-5013"
},
{
"name": "[debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00004.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-44026",
"datePublished": "2021-11-19T03:47:27.000Z",
"dateReserved": "2021-11-19T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:25:24.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-18671 (GCVE-0-2020-18671)
Vulnerability from cvelistv5 – Published: 2021-06-24 18:14 – Updated: 2024-08-04 14:00
VLAI?
Summary
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:00:49.358Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/7406"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#store-xss-in-smtp-config"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) vulnerability in Roundcube Mail \u003c=1.4.4 via smtp config in /installer/test.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-24T18:14:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/issues/7406"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#store-xss-in-smtp-config"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-18671",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) vulnerability in Roundcube Mail \u003c=1.4.4 via smtp config in /installer/test.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roundcube/roundcubemail/issues/7406",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/issues/7406"
},
{
"name": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12",
"refsource": "MISC",
"url": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12"
},
{
"name": "https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#store-xss-in-smtp-config",
"refsource": "MISC",
"url": "https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#store-xss-in-smtp-config"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-18671",
"datePublished": "2021-06-24T18:14:12",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:00:49.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-18670 (GCVE-0-2020-18670)
Vulnerability from cvelistv5 – Published: 2021-06-24 18:07 – Updated: 2024-08-04 14:00
VLAI?
Summary
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:00:49.339Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/7406"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#Store-Xss-in-installer-test-php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-24T18:07:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/issues/7406"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#Store-Xss-in-installer-test-php"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-18670",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roundcube/roundcubemail/issues/7406",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/issues/7406"
},
{
"name": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12",
"refsource": "MISC",
"url": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12"
},
{
"name": "https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#Store-Xss-in-installer-test-php",
"refsource": "MISC",
"url": "https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#Store-Xss-in-installer-test-php"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-18670",
"datePublished": "2021-06-24T18:07:54",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:00:49.339Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-26925 (GCVE-0-2021-26925)
Vulnerability from cvelistv5 – Published: 2021-02-09 08:53 – Updated: 2024-08-03 20:33
VLAI?
Summary
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:33:41.502Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://roundcube.net/news/2021/02/08/security-update-1.4.11"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596"
},
{
"name": "FEDORA-2021-aef54ec149",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5QPAMYM2DQODSCQIAVNFJR2ETG7WMJOD/"
},
{
"name": "FEDORA-2021-434b65378a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q752JPOHTR6H72FK3EIPJZ5O24Z7RGLM/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-17T06:06:22",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://roundcube.net/news/2021/02/08/security-update-1.4.11"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596"
},
{
"name": "FEDORA-2021-aef54ec149",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5QPAMYM2DQODSCQIAVNFJR2ETG7WMJOD/"
},
{
"name": "FEDORA-2021-434b65378a",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q752JPOHTR6H72FK3EIPJZ5O24Z7RGLM/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-26925",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://roundcube.net/news/2021/02/08/security-update-1.4.11",
"refsource": "MISC",
"url": "https://roundcube.net/news/2021/02/08/security-update-1.4.11"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596"
},
{
"name": "FEDORA-2021-aef54ec149",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5QPAMYM2DQODSCQIAVNFJR2ETG7WMJOD/"
},
{
"name": "FEDORA-2021-434b65378a",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q752JPOHTR6H72FK3EIPJZ5O24Z7RGLM/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-26925",
"datePublished": "2021-02-09T08:53:14",
"dateReserved": "2021-02-09T00:00:00",
"dateUpdated": "2024-08-03T20:33:41.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-35730 (GCVE-0-2020-35730)
Vulnerability from cvelistv5 – Published: 2020-12-28 19:37 – Updated: 2025-10-21 23:35
VLAI?
Summary
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:09:15.160Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://roundcube.net/download/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.alexbirnberg.com/roundcube-xss.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.10"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.16"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.2.13"
},
{
"name": "FEDORA-2021-2cb0643316",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q/"
},
{
"name": "FEDORA-2021-73359af51c",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-35730",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T20:21:48.700288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-06-22",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-35730"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:35:31.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-35730"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-06-22T00:00:00+00:00",
"value": "CVE-2020-35730 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-13T03:06:08.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://roundcube.net/download/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.alexbirnberg.com/roundcube-xss.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.10"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.16"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.2.13"
},
{
"name": "FEDORA-2021-2cb0643316",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q/"
},
{
"name": "FEDORA-2021-73359af51c",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-35730",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://roundcube.net/download/",
"refsource": "MISC",
"url": "https://roundcube.net/download/"
},
{
"name": "https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491",
"refsource": "CONFIRM",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491"
},
{
"name": "https://www.alexbirnberg.com/roundcube-xss.html",
"refsource": "MISC",
"url": "https://www.alexbirnberg.com/roundcube-xss.html"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.10",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.10"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.16",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.16"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.2.13",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.2.13"
},
{
"name": "FEDORA-2021-2cb0643316",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q/"
},
{
"name": "FEDORA-2021-73359af51c",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-35730",
"datePublished": "2020-12-28T19:37:08.000Z",
"dateReserved": "2020-12-27T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:35:31.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-16145 (GCVE-0-2020-16145)
Vulnerability from cvelistv5 – Published: 2020-08-12 12:29 – Updated: 2024-08-04 13:37
VLAI?
Summary
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:37:53.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/a71bf2e8d4a64ff2c83fdabc1e8cb0c045a41ef4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.15"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b#diff-d3bb3391c79904494c60ee2ac2f33070"
},
{
"name": "FEDORA-2020-d0f8f20cfc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DAXK3565NYK4OEZVTW6S5LEVIDQEY2E/"
},
{
"name": "FEDORA-2020-b1e023936e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBLUQRIBAMEQVBO6GUZECCHJDJIWCYFU/"
},
{
"name": "openSUSE-SU-2020:1516",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-24T17:07:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/commit/a71bf2e8d4a64ff2c83fdabc1e8cb0c045a41ef4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.15"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b#diff-d3bb3391c79904494c60ee2ac2f33070"
},
{
"name": "FEDORA-2020-d0f8f20cfc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DAXK3565NYK4OEZVTW6S5LEVIDQEY2E/"
},
{
"name": "FEDORA-2020-b1e023936e",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBLUQRIBAMEQVBO6GUZECCHJDJIWCYFU/"
},
{
"name": "openSUSE-SU-2020:1516",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-16145",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.8",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.8"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/a71bf2e8d4a64ff2c83fdabc1e8cb0c045a41ef4",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/commit/a71bf2e8d4a64ff2c83fdabc1e8cb0c045a41ef4"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.15",
"refsource": "CONFIRM",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.15"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b#diff-d3bb3391c79904494c60ee2ac2f33070",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b#diff-d3bb3391c79904494c60ee2ac2f33070"
},
{
"name": "FEDORA-2020-d0f8f20cfc",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DAXK3565NYK4OEZVTW6S5LEVIDQEY2E/"
},
{
"name": "FEDORA-2020-b1e023936e",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBLUQRIBAMEQVBO6GUZECCHJDJIWCYFU/"
},
{
"name": "openSUSE-SU-2020:1516",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-16145",
"datePublished": "2020-08-12T12:29:44",
"dateReserved": "2020-07-29T00:00:00",
"dateUpdated": "2024-08-04T13:37:53.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15562 (GCVE-0-2020-15562)
Vulnerability from cvelistv5 – Published: 2020-07-06 11:26 – Updated: 2024-08-04 13:22
VLAI?
Summary
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:22:29.362Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.14"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.2.11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/3e8832d029b035e3fcfb4c75839567a9580b4f82"
},
{
"name": "DSA-4720",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4720"
},
{
"name": "openSUSE-SU-2020:1516",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-24T17:07:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.14"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.2.11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/commit/3e8832d029b035e3fcfb4c75839567a9580b4f82"
},
{
"name": "DSA-4720",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4720"
},
{
"name": "openSUSE-SU-2020:1516",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-15562",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.7",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.7"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.14",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.14"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.2.11",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.2.11"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/3e8832d029b035e3fcfb4c75839567a9580b4f82",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/commit/3e8832d029b035e3fcfb4c75839567a9580b4f82"
},
{
"name": "DSA-4720",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4720"
},
{
"name": "openSUSE-SU-2020:1516",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-15562",
"datePublished": "2020-07-06T11:26:09",
"dateReserved": "2020-07-06T00:00:00",
"dateUpdated": "2024-08-04T13:22:29.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13964 (GCVE-0-2020-13964)
Vulnerability from cvelistv5 – Published: 2020-06-09 02:45 – Updated: 2024-08-04 12:32
VLAI?
Summary
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/37e2bc745723ef6322f0f785aefd0b9313a40f19"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.12"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12"
},
{
"name": "DSA-4700",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4700"
},
{
"name": "FEDORA-2020-2a1a6a8432",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLESQ4LPJGMSWHQ4TBRTVQRDG7IXAZCW/"
},
{
"name": "FEDORA-2020-aeffd92b77",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODPJXBHZ32QSP4MYT2OBCALYXSUJ47SK/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-19T02:06:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/commit/37e2bc745723ef6322f0f785aefd0b9313a40f19"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.12"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12"
},
{
"name": "DSA-4700",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4700"
},
{
"name": "FEDORA-2020-2a1a6a8432",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLESQ4LPJGMSWHQ4TBRTVQRDG7IXAZCW/"
},
{
"name": "FEDORA-2020-aeffd92b77",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODPJXBHZ32QSP4MYT2OBCALYXSUJ47SK/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13964",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.5",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.5"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/37e2bc745723ef6322f0f785aefd0b9313a40f19",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/commit/37e2bc745723ef6322f0f785aefd0b9313a40f19"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.12",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.12"
},
{
"name": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12",
"refsource": "CONFIRM",
"url": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12"
},
{
"name": "DSA-4700",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4700"
},
{
"name": "FEDORA-2020-2a1a6a8432",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLESQ4LPJGMSWHQ4TBRTVQRDG7IXAZCW/"
},
{
"name": "FEDORA-2020-aeffd92b77",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODPJXBHZ32QSP4MYT2OBCALYXSUJ47SK/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13964",
"datePublished": "2020-06-09T02:45:35",
"dateReserved": "2020-06-09T00:00:00",
"dateUpdated": "2024-08-04T12:32:14.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13965 (GCVE-0-2020-13965)
Vulnerability from cvelistv5 – Published: 2020-06-09 02:45 – Updated: 2025-10-21 23:35
VLAI?
Summary
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
Severity ?
6.3 (Medium)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:roundcube:webmail:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "webmail",
"vendor": "roundcube",
"versions": [
{
"lessThan": "1.3.12",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:roundcube:webmail:1.4.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "webmail",
"vendor": "roundcube",
"versions": [
{
"lessThan": "1.4.5",
"status": "affected",
"version": "1.4.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-13965",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T15:33:41.762093Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2024-06-26",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13965"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:35:42.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13965"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-26T00:00:00+00:00",
"value": "CVE-2020-13965 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:32:14.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.12"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.4...1.4.5"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12"
},
{
"name": "DSA-4700",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4700"
},
{
"name": "FEDORA-2020-2a1a6a8432",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLESQ4LPJGMSWHQ4TBRTVQRDG7IXAZCW/"
},
{
"name": "FEDORA-2020-aeffd92b77",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODPJXBHZ32QSP4MYT2OBCALYXSUJ47SK/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-13965-Cross%20Site-Scripting%20via%20Malicious%20XML%20Attachment-Roundcube"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-21T13:57:32.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.12"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.4...1.4.5"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12"
},
{
"name": "DSA-4700",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4700"
},
{
"name": "FEDORA-2020-2a1a6a8432",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLESQ4LPJGMSWHQ4TBRTVQRDG7IXAZCW/"
},
{
"name": "FEDORA-2020-aeffd92b77",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODPJXBHZ32QSP4MYT2OBCALYXSUJ47SK/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-13965-Cross%20Site-Scripting%20via%20Malicious%20XML%20Attachment-Roundcube"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13965",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.5",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.5"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.12",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.3.12"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3"
},
{
"name": "https://github.com/roundcube/roundcubemail/compare/1.4.4...1.4.5",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.4...1.4.5"
},
{
"name": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12",
"refsource": "CONFIRM",
"url": "https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12"
},
{
"name": "DSA-4700",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4700"
},
{
"name": "FEDORA-2020-2a1a6a8432",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLESQ4LPJGMSWHQ4TBRTVQRDG7IXAZCW/"
},
{
"name": "FEDORA-2020-aeffd92b77",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODPJXBHZ32QSP4MYT2OBCALYXSUJ47SK/"
},
{
"name": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-13965-Cross%20Site-Scripting%20via%20Malicious%20XML%20Attachment-Roundcube",
"refsource": "MISC",
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-13965-Cross%20Site-Scripting%20via%20Malicious%20XML%20Attachment-Roundcube"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13965",
"datePublished": "2020-06-09T02:45:24.000Z",
"dateReserved": "2020-06-09T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:35:42.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12640 (GCVE-0-2020-12640)
Vulnerability from cvelistv5 – Published: 2020-05-04 14:58 – Updated: 2024-08-04 12:04
VLAI?
Summary
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.314Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12640-PHP%20Local%20File%20Inclusion-Roundcube"
},
{
"name": "GLSA-202007-41",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202007-41"
},
{
"name": "openSUSE-SU-2020:1516",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-24T17:07:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12640-PHP%20Local%20File%20Inclusion-Roundcube"
},
{
"name": "GLSA-202007-41",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202007-41"
},
{
"name": "openSUSE-SU-2020:1516",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12640",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4"
},
{
"name": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4"
},
{
"name": "https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10",
"refsource": "MISC",
"url": "https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794"
},
{
"name": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12640-PHP%20Local%20File%20Inclusion-Roundcube",
"refsource": "MISC",
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12640-PHP%20Local%20File%20Inclusion-Roundcube"
},
{
"name": "GLSA-202007-41",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202007-41"
},
{
"name": "openSUSE-SU-2020:1516",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12640",
"datePublished": "2020-05-04T14:58:28",
"dateReserved": "2020-05-04T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12641 (GCVE-0-2020-12641)
Vulnerability from cvelistv5 – Published: 2020-05-04 14:58 – Updated: 2025-10-21 23:35
VLAI?
Summary
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12641-Command%20Injection-Roundcube"
},
{
"name": "GLSA-202007-41",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202007-41"
},
{
"name": "openSUSE-SU-2020:1516",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-12641",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T19:53:48.191667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2023-06-22",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12641"
},
"type": "kev"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:35:44.407Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-12641"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-06-22T00:00:00+00:00",
"value": "CVE-2020-12641 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-24T17:07:02.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12641-Command%20Injection-Roundcube"
},
{
"name": "GLSA-202007-41",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202007-41"
},
{
"name": "openSUSE-SU-2020:1516",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12641",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4"
},
{
"name": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4"
},
{
"name": "https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10",
"refsource": "MISC",
"url": "https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3"
},
{
"name": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12641-Command%20Injection-Roundcube",
"refsource": "MISC",
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12641-Command%20Injection-Roundcube"
},
{
"name": "GLSA-202007-41",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202007-41"
},
{
"name": "openSUSE-SU-2020:1516",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12641",
"datePublished": "2020-05-04T14:58:15.000Z",
"dateReserved": "2020-05-04T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:35:44.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12625 (GCVE-0-2020-12625)
Vulnerability from cvelistv5 – Published: 2020-05-04 01:57 – Updated: 2024-08-04 12:04
VLAI?
Summary
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.316Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b94e5c75d2b7686d0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4"
},
{
"name": "DSA-4674",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4674"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12625-Cross%20Site-Scripting%20via%20Malicious%20HTML%20Attachment-Roundcube"
},
{
"name": "GLSA-202007-41",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202007-41"
},
{
"name": "openSUSE-SU-2020:1516",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-24T17:07:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b94e5c75d2b7686d0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4"
},
{
"name": "DSA-4674",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4674"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12625-Cross%20Site-Scripting%20via%20Malicious%20HTML%20Attachment-Roundcube"
},
{
"name": "GLSA-202007-41",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202007-41"
},
{
"name": "openSUSE-SU-2020:1516",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12625",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b94e5c75d2b7686d0",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b94e5c75d2b7686d0"
},
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4"
},
{
"name": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4"
},
{
"name": "DSA-4674",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4674"
},
{
"name": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12625-Cross%20Site-Scripting%20via%20Malicious%20HTML%20Attachment-Roundcube",
"refsource": "MISC",
"url": "https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12625-Cross%20Site-Scripting%20via%20Malicious%20HTML%20Attachment-Roundcube"
},
{
"name": "GLSA-202007-41",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202007-41"
},
{
"name": "openSUSE-SU-2020:1516",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12625",
"datePublished": "2020-05-04T01:57:31",
"dateReserved": "2020-05-04T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12626 (GCVE-0-2020-12626)
Vulnerability from cvelistv5 – Published: 2020-05-04 01:57 – Updated: 2024-08-04 12:04
VLAI?
Summary
An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.307Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/pull/7302"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6"
},
{
"name": "DSA-4674",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4674"
},
{
"name": "GLSA-202007-41",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202007-41"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-27T02:06:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/pull/7302"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6"
},
{
"name": "DSA-4674",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4674"
},
{
"name": "GLSA-202007-41",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202007-41"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12626",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/releases/tag/1.4.4"
},
{
"name": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4"
},
{
"name": "https://github.com/roundcube/roundcubemail/pull/7302",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/pull/7302"
},
{
"name": "https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6"
},
{
"name": "DSA-4674",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4674"
},
{
"name": "GLSA-202007-41",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202007-41"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12626",
"datePublished": "2020-05-04T01:57:17",
"dateReserved": "2020-05-04T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15237 (GCVE-0-2019-15237)
Vulnerability from cvelistv5 – Published: 2019-08-20 00:39 – Updated: 2024-08-05 00:42
VLAI?
Summary
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:42:03.569Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/roundcube/roundcubemail/issues/6891"
},
{
"name": "FEDORA-2019-d9c2f1ec70",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-08T04:06:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/roundcube/roundcubemail/issues/6891"
},
{
"name": "FEDORA-2019-d9c2f1ec70",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15237",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/roundcube/roundcubemail/issues/6891",
"refsource": "MISC",
"url": "https://github.com/roundcube/roundcubemail/issues/6891"
},
{
"name": "FEDORA-2019-d9c2f1ec70",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15237",
"datePublished": "2019-08-20T00:39:53",
"dateReserved": "2019-08-19T00:00:00",
"dateUpdated": "2024-08-05T00:42:03.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}