CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18671
https://notcve.org/view.php?id=CVE-2020-18671
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en Roundcube Mail versiones anteriores a 1.4.4 incluyéndola, por medio del parámetro smtp config en el archivo /installer/test.php • https://github.com/roundcube/roundcubemail/issues/7406 https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#store-xss-in-smtp-config https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2021-26925
https://notcve.org/view.php?id=CVE-2021-26925
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. Roundcube versiones anteriores a 1.4.11, permite ataque de tipo XSS por medio de secuencias de tokens de Cascading Style Sheets (CSS) diseñadas durante el renderizado de correo electrónico HTML • https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5QPAMYM2DQODSCQIAVNFJR2ETG7WMJOD https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q752JPOHTR6H72FK3EIPJZ5O24Z7RGLM https://roundcube.net/news/2021/02/08/security-update-1.4.11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 6%CPEs: 6EXPL: 0CVE-2020-35730 – Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2020-35730
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. Se detectó un problema de XSS en Roundcube Webmail en versiones anteriores a la 1.2.13, 1.3.x en versiones anteriores a la 1.3.16 y 1.4.x en versiones anteriores a la 1.4.10. El atacante puede enviar un mensaje de correo electrónico de texto sin formato, con JavaScript en un elemento de referencia de enlace que es manejado inapropiadamente por linkref_addindex en rcube_string_replacer.php. Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php. • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491 https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10 https://github.com/roundcube/roundcubemail/releases/tag/1.2.13 https://github.com/roundcube/roundcubemail/releases/tag/1.3.16 https://github.com/roundcube/roundcubemail/releases/tag/1.4.10 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2 https://lists.fedoraproject.org/archives/list/package-announce& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-16145
https://notcve.org/view.php?id=CVE-2020-16145
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15. Roundcube Webmail versiones anteriores a 1.3.15 y 1.4.8, permite un ataque de tipo XSS almacenado en mensajes HTML durante la visualización de mensajes por medio de un documento SVG diseñado. Este problema se ha solucionado en la versión 1.4.8 y versión 1.3.15. • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html https://github.com/roundcube/roundcubemail/commit/a71bf2e8d4a64ff2c83fdabc1e8cb0c045a41ef4 https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b#diff-d3bb3391c79904494c60ee2ac2f33070 https://github.com/roundcube/roundcubemail/releases/tag/1.3.15 https://github.com/roundcube/roundcubemail/releases/tag/1.4.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DAXK3565NYK4OEZVTW6S5LEVIDQEY2E https://li • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-15562
https://notcve.org/view.php?id=CVE-2020-15562
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.2.11, versiones 1.3.x anteriores a 1.3.14 y versiones 1.4.x anteriores a 1.4.7. Permite un ataque de tipo XSS por medio de un mensaje de correo electrónico HTML diseñado, como es demostrado por una carga útil de JavaScript en el atributo xmlns (también se conoce como espacio de nombres XML) de un elemento HEAD cuando se presenta un elemento SVG • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html https://github.com/roundcube/roundcubemail/commit/3e8832d029b035e3fcfb4c75839567a9580b4f82 https://github.com/roundcube/roundcubemail/releases/tag/1.2.11 https://github.com/roundcube/roundcubemail/releases/tag/1.3.14 https://github.com/roundcube/roundcubemail/releases/tag/1.4.7 https://www.debian.org/security/2020/dsa-4720 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •