Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
roundcube roundcube vulnerabilities and exploits
(subscribe to this query)
3.5
CVSSv2
CVE-2013-5646
Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated users to inject arbitrary web script or HTML via the Name field of an addressbook group.
Roundcube Webmail 1.0
3.5
CVSSv2
CVE-2020-18670
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.
Roundcube Webmail 1.4.4
4.3
CVSSv2
CVE-2012-3508
Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote malicious users to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email.
Roundcube Webmail 0.8.0
1 EDB exploit
6.8
CVSSv2
CVE-2016-4069
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail prior to 1.1.5 allows remote malicious users to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors.
Opensuse Leap 42.1
Roundcube Webmail
4.3
CVSSv2
CVE-2019-15237
Roundcube Webmail up to and including 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
Roundcube Webmail
Fedoraproject Fedora 29
4.3
CVSSv2
CVE-2015-1433
program/lib/Roundcube/rcube_washtml.php in Roundcube prior to 1.0.5 does not properly quote strings, which allows remote malicious users to conduct cross-site scripting (XSS) attacks via the style attribute in an email.
Roundcube Webmail
Fedoraproject Fedora 21
4.3
CVSSv2
CVE-2020-15562
An issue exists in Roundcube Webmail prior to 1.2.11, 1.3.x prior to 1.3.14, and 1.4.x prior to 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.
Roundcube Webmail
Debian Debian Linux 10.0
NA
CVE-2023-43770
Roundcube prior to 1.4.14, 1.5.x prior to 1.5.4, and 1.6.x prior to 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
Roundcube Webmail
Debian Debian Linux 10.0
2 Github repositories
6.8
CVSSv2
CVE-2018-9846
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform a...
Roundcube Webmail
Debian Debian Linux 9.0
1 Github repository
4.3
CVSSv2
CVE-2018-19206
steps/mail/func.inc in Roundcube prior to 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
Roundcube Webmail
Debian Debian Linux 9.0
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-49223
CVE-2024-0044
information disclosure
CVE-2024-35753
HTML injection
CVE-2024-21306
CVE-2024-35733
SQL injection
CVE-2024-35732
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
NEXT »