Summary
Detail | |||
---|---|---|---|
Vendor | Roundcube | First view | 2018-04-07 |
Product | Webmail | Last view | 2020-08-12 |
Version | 1.3.5 | Type | Application |
Update | * | ||
Edition | * | ||
Language | * | ||
Sofware Edition | * | ||
Target Software | * | ||
Target Hardware | * | ||
Other | * | ||
CPE Product | cpe:2.3:a:roundcube:webmail |
Activity : Overall
Related : CVE
Date | Alert | Description | |
---|---|---|---|
6.1 | 2020-08-12 | CVE-2020-16145 | Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15. |
6.1 | 2020-07-06 | CVE-2020-15562 | An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists. |
6.1 | 2020-06-09 | CVE-2020-13965 | An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview. |
6.1 | 2020-06-09 | CVE-2020-13964 | An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object. |
9.8 | 2020-05-04 | CVE-2020-12641 | rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. |
9.8 | 2020-05-04 | CVE-2020-12640 | Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php. |
6.5 | 2020-05-04 | CVE-2020-12626 | An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered. |
6.1 | 2020-05-04 | CVE-2020-12625 | An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message. |
7.4 | 2019-08-19 | CVE-2019-15237 | Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks. |
8.8 | 2018-04-07 | CVE-2018-9846 | In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism. |
CWE : Common Weakness Enumeration
% | id | Name |
---|---|---|
55% (5) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
11% (1) | CWE-352 | Cross-Site Request Forgery (CSRF) |
11% (1) | CWE-88 | Argument Injection or Modification |
11% (1) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
11% (1) | CWE-20 | Improper Input Validation |
Snort® IPS/IDS
Date | Description |
---|---|
2018-09-11 | RoundCube WebMail IMAP command injection attempt RuleID : 47510 - Type : SERVER-WEBAPP - Revision : 3 |
2018-09-11 | RoundCube WebMail IMAP command injection attempt RuleID : 47509 - Type : SERVER-WEBAPP - Revision : 2 |
Nessus® Vulnerability Scanner
id | Description |
---|---|
2019-01-03 | Name: The remote Fedora host is missing a security update. File: fedora_2018-c279b3696f.nasl - Type: ACT_GATHER_INFO |
2018-04-30 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-4181.nasl - Type: ACT_GATHER_INFO |
2018-04-23 | Name: The remote Fedora host is missing a security update. File: fedora_2018-57fbdb1cb5.nasl - Type: ACT_GATHER_INFO |
2018-04-23 | Name: The remote Fedora host is missing a security update. File: fedora_2018-f6dc921a19.nasl - Type: ACT_GATHER_INFO |
2018-04-16 | Name: The remote FreeBSD host is missing a security-related update. File: freebsd_pkg_48894ca93e6f11e892f0f0def167eeea.nasl - Type: ACT_GATHER_INFO |