CVSS: 9.8EPSS: 1%CPEs: 7EXPL: 0CVE-2021-44026 – Roundcube Webmail SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-44026
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. Roundcube versiones anteriores a 1.3.17 y versiones 1.4.x anteriores a 1.4.12, es propenso a una potencial inyección SQL por medio de los parámetros search o search_params Roundcube Webmail is vulnerable to SQL injection via search or search_params. • https://bugs.debian.org/1000156 https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1 https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa https://lists.debian.org/debian-lts-announce/2021/12/msg00004.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NDVGIZMQJ5IOM47Y3SAAJRN5VPANKTKO https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TP3Y5RXTUUOUODNG7HFEKWYNIPIT2NL4 https://www.debian.org/se • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18671
https://notcve.org/view.php?id=CVE-2020-18671
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en Roundcube Mail versiones anteriores a 1.4.4 incluyéndola, por medio del parámetro smtp config en el archivo /installer/test.php • https://github.com/roundcube/roundcubemail/issues/7406 https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#store-xss-in-smtp-config https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18670
https://notcve.org/view.php?id=CVE-2020-18670
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en Roundcube mail versión .4.4 por medio de la base de datos del host y del usuario en el archivo /installer/test.php • https://github.com/roundcube/roundcubemail/issues/7406 https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#Store-Xss-in-installer-test-php https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2021-26925
https://notcve.org/view.php?id=CVE-2021-26925
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. Roundcube versiones anteriores a 1.4.11, permite ataque de tipo XSS por medio de secuencias de tokens de Cascading Style Sheets (CSS) diseñadas durante el renderizado de correo electrónico HTML • https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5QPAMYM2DQODSCQIAVNFJR2ETG7WMJOD https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q752JPOHTR6H72FK3EIPJZ5O24Z7RGLM https://roundcube.net/news/2021/02/08/security-update-1.4.11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 6%CPEs: 6EXPL: 0CVE-2020-35730 – Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2020-35730
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. Se detectó un problema de XSS en Roundcube Webmail en versiones anteriores a la 1.2.13, 1.3.x en versiones anteriores a la 1.3.16 y 1.4.x en versiones anteriores a la 1.4.10. El atacante puede enviar un mensaje de correo electrónico de texto sin formato, con JavaScript en un elemento de referencia de enlace que es manejado inapropiadamente por linkref_addindex en rcube_string_replacer.php. Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php. • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491 https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10 https://github.com/roundcube/roundcubemail/releases/tag/1.2.13 https://github.com/roundcube/roundcubemail/releases/tag/1.3.16 https://github.com/roundcube/roundcubemail/releases/tag/1.4.10 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2 https://lists.fedoraproject.org/archives/list/package-announce& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •