This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Roundcube First view 2019-08-19
Product Webmail Last view 2020-08-12
Version 1.3.9 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:roundcube:webmail

Activity : Overall

Related : CVE

  Date Alert Description
6.1 2020-08-12 CVE-2020-16145

Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.

6.1 2020-07-06 CVE-2020-15562

An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.

6.1 2020-06-09 CVE-2020-13965

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.

6.1 2020-06-09 CVE-2020-13964

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.

9.8 2020-05-04 CVE-2020-12641

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

9.8 2020-05-04 CVE-2020-12640

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.

6.5 2020-05-04 CVE-2020-12626

An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.

6.1 2020-05-04 CVE-2020-12625

An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.

7.4 2019-08-19 CVE-2019-15237

Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.

CWE : Common Weakness Enumeration

%idName
62% (5) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
12% (1) CWE-352 Cross-Site Request Forgery (CSRF)
12% (1) CWE-88 Argument Injection or Modification
12% (1) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...