CVSS: 6.1EPSS: 4%CPEs: 7EXPL: 2CVE-2023-5631 – Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2023-5631
18 Oct 2023 — Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. Roundcube anterior a 1.4.15, 1.5.x anterior a 1.5.5 y 1.6.x anterior a 1.6.4 permiten almacenar XSS a través de un mensaje de correo electrónico HTML con un documento SVG manipulado debido al comportamiento de program/lib/Roundcube/rcube_wa... • https://github.com/soreta2/CVE-2023-5631-POC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 13%CPEs: 4EXPL: 2CVE-2023-43770 – Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2023-43770
22 Sep 2023 — Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. Roundcube anterior a 1.4.14, 1.5.x anterior a 1.5.4 y 1.6.x anterior a 1.6.3 permiten XSS a través de mensajes de texto/correo electrónico plano con enlaces manipuados debido al comportamiento de program/lib/Roundcube/rcube_string_replacer.php. It was discovered that Roundcube Webmail incorrectly sanitized charac... • https://github.com/s3cb0y/CVE-2023-43770-POC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-29360
https://notcve.org/view.php?id=CVE-2022-29360
28 Jul 2022 — The Email Viewer in RainLoop through 1.6.0 allows XSS via a crafted email message. El Visor de Correo Electrónico en RainLoop versiones hasta 1.6.0, permite un ataque de tipo XSS por medio de un mensaje de correo electrónico diseñado • https://blog.sonarsource.com/rainloop-emails-at-risk-due-to-code-flaw • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2021-44025 – Debian Security Advisory 5013-1
https://notcve.org/view.php?id=CVE-2021-44025
19 Nov 2021 — Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message. Roundcube versiones anteriores a 1.3.17 y versiones 1.4.x anteriores a 1.4.12, es propenso a un ataque de tipo XSS en el manejo de la extensión del nombre del archivo adjunto cuando se muestra un mensaje de advertencia de tipo MIME It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize reques... • https://bugs.debian.org/1000156 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 7EXPL: 1CVE-2021-44026 – Roundcube Webmail SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-44026
19 Nov 2021 — Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. Roundcube versiones anteriores a 1.3.17 y versiones 1.4.x anteriores a 1.4.12, es propenso a una potencial inyección SQL por medio de los parámetros search o search_params It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize requests and mail messages. This would allow an attacker to perform Cross-Side Scripting (XSS) or SQL injec... • https://github.com/pentesttoolscom/roundcube-cve-2021-44026 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18671
https://notcve.org/view.php?id=CVE-2020-18671
24 Jun 2021 — Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en Roundcube Mail versiones anteriores a 1.4.4 incluyéndola, por medio del parámetro smtp config en el archivo /installer/test.php • https://github.com/roundcube/roundcubemail/issues/7406 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2021-26925
https://notcve.org/view.php?id=CVE-2021-26925
09 Feb 2021 — Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. Roundcube versiones anteriores a 1.4.11, permite ataque de tipo XSS por medio de secuencias de tokens de Cascading Style Sheets (CSS) diseñadas durante el renderizado de correo electrónico HTML • https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 6EXPL: 0CVE-2020-35730 – Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2020-35730
28 Dec 2020 — An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. Se detectó un problema de XSS en Roundcube Webmail en versiones anteriores a la 1.2.13, 1.3.x en versiones anteriores a la 1.3.16 y 1.4.x en versiones anteriores a la 1.4.10. El atacante puede enviar un mensaje de correo electrónico de te... • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-16145
https://notcve.org/view.php?id=CVE-2020-16145
12 Aug 2020 — Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15. Roundcube Webmail versiones anteriores a 1.3.15 y 1.4.8, permite un ataque de tipo XSS almacenado en mensajes HTML durante la visualización de mensajes por medio de un documento SVG diseñado. Este problema se ha solucionado en la versión 1.4.8 y versión 1.3.15. • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-15562 – Debian Security Advisory 4720-1
https://notcve.org/view.php?id=CVE-2020-15562
06 Jul 2020 — An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.2.11, versiones 1.3.x anteriores a 1.3.14 y versiones 1.4.x anteriores a 1.4.7. Permite un ataque de tipo XSS por medio de un mensaje de correo electrónico HTML... • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •