Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
roundcube webmail vulnerabilities and exploits
(subscribe to this query)
6.1
CVSSv3
CVE-2020-35730
An XSS issue exists in Roundcube Webmail prior to 1.2.13, 1.3.x prior to 1.3.16, and 1.4.x prior to 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
Roundcube Webmail
Fedoraproject Fedora 32
Fedoraproject Fedora 33
Debian Debian Linux 9.0
1 Github repository
2 Articles
6.1
CVSSv3
CVE-2020-16145
Roundcube Webmail prior to 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
Roundcube Webmail
Fedoraproject Fedora 31
Fedoraproject Fedora 32
6.1
CVSSv3
CVE-2020-15562
An issue exists in Roundcube Webmail prior to 1.2.11, 1.3.x prior to 1.3.14, and 1.4.x prior to 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.
Roundcube Webmail
Debian Debian Linux 10.0
6.1
CVSSv3
CVE-2020-13964
An issue exists in Roundcube Webmail prior to 1.3.12 and 1.4.x prior to 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.
Roundcube Webmail
Fedoraproject Fedora 31
Fedoraproject Fedora 32
Debian Debian Linux 9.0
Debian Debian Linux 10.0
6.1
CVSSv3
CVE-2020-13965
An issue exists in Roundcube Webmail prior to 1.3.12 and 1.4.x prior to 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
Roundcube Webmail
Debian Debian Linux 9.0
Debian Debian Linux 10.0
Fedoraproject Fedora 31
Fedoraproject Fedora 32
1 Github repository
9.8
CVSSv3
CVE-2020-12641
rcube_image.php in Roundcube Webmail prior to 1.4.4 allows malicious users to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
Roundcube Webmail
Opensuse Leap 15.1
Opensuse Backports Sle 15.0
Opensuse Leap 15.2
2 Github repositories
1 Article
9.8
CVSSv3
CVE-2020-12640
Roundcube Webmail prior to 1.4.4 allows malicious users to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
Roundcube Webmail
Opensuse Leap 15.1
Opensuse Backports Sle 15.0
Opensuse Leap 15.2
1 Github repository
6.1
CVSSv3
CVE-2020-12625
An issue exists in Roundcube Webmail prior to 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.
Roundcube Webmail
Debian Debian Linux 9.0
Debian Debian Linux 10.0
Opensuse Leap 15.1
Opensuse Backports Sle 15.0
Opensuse Leap 15.2
1 Github repository
6.5
CVSSv3
CVE-2020-12626
An issue exists in Roundcube Webmail prior to 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.
Roundcube Webmail
Debian Debian Linux 9.0
Debian Debian Linux 10.0
7.4
CVSSv3
CVE-2019-15237
Roundcube Webmail up to and including 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
Roundcube Webmail
Fedoraproject Fedora 29
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4654
CVE-2023-49606
encryption
NULL pointer dereference
CVE-2024-4439
CVE-2024-4649
race condition
CVE-2024-27202
CVE-2024-34566
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
NEXT »