CVSS: 5.0EPSS: 0%CPEs: 23EXPL: 0CVE-2010-0464
https://notcve.org/view.php?id=CVE-2010-0464
Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests. Roundcube v0.3.1 y anteriores no solicitan que el navegador web permita el "prefetching" DNS de los nombres de dominio contenidos en mensajes de correo electrónico, lo que facilita a atacantes remotos determinar la localización de red del usuario de webmail mediante peticiones de logggin DNS. • http://trac.roundcube.net/ticket/1486449 http://www.mandriva.com/security/advisories?name=MDVSA-2010:048 https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 18EXPL: 0CVE-2009-4076
https://notcve.org/view.php?id=CVE-2009-4076
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that modify user information via unspecified vectors, a different vulnerability than CVE-2009-4077. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Roundcube Webmail v0.2.2 y anteriores permite a atacantes remotos secuestrar la autenticación de usuarios sin especificar para peticiones que modifican la información del usuario a través de vectores inespecíficos, una vulnerabilidad diferente a CVE-2009-4077. • http://jvn.jp/en/jp/JVN72974205/index.html http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000071.html http://secunia.com/advisories/37235 http://trac.roundcube.net/wiki/Changelog http://www.osvdb.org/59661 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 18EXPL: 0CVE-2009-4077
https://notcve.org/view.php?id=CVE-2009-4077
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that send arbitrary emails via unspecified vectors, a different vulnerability than CVE-2009-4076. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Roundcube Webmail v0.2.2 y anteriores permite a atacantes remotos secuestrar la autenticación de usuarios sin especificar para peticiones que envían correos electrónicos arbitrarios a través de vectores sin especificar, una vulnerabilidad diferente a CVE-2009-4076. • http://jvn.jp/en/jp/JVN75694913/index.html http://jvndb.jvn.jp/ja/contents/2009/JVNDB-2009-000072.html http://secunia.com/advisories/37235 http://trac.roundcube.net/wiki/Changelog http://www.osvdb.org/59661 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 86%CPEs: 2EXPL: 4CVE-2008-5619 – Roundcube Webmail 0.2-3 Beta - Code Execution
https://notcve.org/view.php?id=CVE-2008-5619
html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch. html2text.php en Chuggnutt HTML a Text Converter, como se usa en PHPMailer en versiones anteriores a 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha y 0.2-3.beta, Mahara y AtMail Open 1.03, permite a atacantes remotos ejecutar código arbitrario a través de entrada manipulada que se procesa por la función preg_replace con el interruptor de eval. RoundCube Webmail versions 0.2-3 Beta and below suffer from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/7549 https://www.exploit-db.com/exploits/7553 http://mahara.org/interaction/forum/topic.php?id=533 http://osvdb.org/53893 http://secunia.com/advisories/33145 http://secunia.com/advisories/33170 http://secunia.com/advisories/34789 http://sourceforge.net/forum/forum.php?forum_id=898542 http://trac.roundcube.net/changeset/2148 http://trac.roundcube.net/ticket/1485618 http://www.openwall.com/lists/oss-security/2008/12/12/1 http: • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 92%CPEs: 25EXPL: 2CVE-2008-1055 – Surgemail and WebMail 3.0 - 'Page' Remote Format String
https://notcve.org/view.php?id=CVE-2008-1055
Format string vulnerability in webmail.exe in NetWin SurgeMail 38k4 and earlier and beta 39a, and WebMail 3.1s and earlier, allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via format string specifiers in the page parameter. Vulnerabilidad de cadena de formato en webmail.exe de NetWin SurgeMail 38k4 y versiones anteriores y beta 39a, y WebMail 3.1s y versiones anteriores, permite a atacantes remotos provocar una denegación de servicio (caída del demonio) y posiblemente ejecutar código de su elección a través de cadenas de formato especificadas en el parámetro page. • https://www.exploit-db.com/exploits/31300 http://aluigi.altervista.org/adv/surgemailz-adv.txt http://secunia.com/advisories/29105 http://secunia.com/advisories/29137 http://securityreason.com/securityalert/3705 http://www.securityfocus.com/archive/1/488741/100/0/threaded http://www.securityfocus.com/bid/27990 http://www.securitytracker.com/id?1019500 http://www.vupen.com/english/advisories/2008/0678 https://exchange.xforce.ibmcloud.com/vulnerabilities/40833 • CWE-134: Use of Externally-Controlled Format String •