CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18671
https://notcve.org/view.php?id=CVE-2020-18671
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en Roundcube Mail versiones anteriores a 1.4.4 incluyéndola, por medio del parámetro smtp config en el archivo /installer/test.php • https://github.com/roundcube/roundcubemail/issues/7406 https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#store-xss-in-smtp-config https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18670
https://notcve.org/view.php?id=CVE-2020-18670
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en Roundcube mail versión .4.4 por medio de la base de datos del host y del usuario en el archivo /installer/test.php • https://github.com/roundcube/roundcubemail/issues/7406 https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#Store-Xss-in-installer-test-php https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2021-26925
https://notcve.org/view.php?id=CVE-2021-26925
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. Roundcube versiones anteriores a 1.4.11, permite ataque de tipo XSS por medio de secuencias de tokens de Cascading Style Sheets (CSS) diseñadas durante el renderizado de correo electrónico HTML • https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5QPAMYM2DQODSCQIAVNFJR2ETG7WMJOD https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q752JPOHTR6H72FK3EIPJZ5O24Z7RGLM https://roundcube.net/news/2021/02/08/security-update-1.4.11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 6%CPEs: 6EXPL: 0CVE-2020-35730 – Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2020-35730
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. Se detectó un problema de XSS en Roundcube Webmail en versiones anteriores a la 1.2.13, 1.3.x en versiones anteriores a la 1.3.16 y 1.4.x en versiones anteriores a la 1.4.10. El atacante puede enviar un mensaje de correo electrónico de texto sin formato, con JavaScript en un elemento de referencia de enlace que es manejado inapropiadamente por linkref_addindex en rcube_string_replacer.php. Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php. • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491 https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10 https://github.com/roundcube/roundcubemail/releases/tag/1.2.13 https://github.com/roundcube/roundcubemail/releases/tag/1.3.16 https://github.com/roundcube/roundcubemail/releases/tag/1.4.10 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2 https://lists.fedoraproject.org/archives/list/package-announce& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-16145
https://notcve.org/view.php?id=CVE-2020-16145
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15. Roundcube Webmail versiones anteriores a 1.3.15 y 1.4.8, permite un ataque de tipo XSS almacenado en mensajes HTML durante la visualización de mensajes por medio de un documento SVG diseñado. Este problema se ha solucionado en la versión 1.4.8 y versión 1.3.15. • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html https://github.com/roundcube/roundcubemail/commit/a71bf2e8d4a64ff2c83fdabc1e8cb0c045a41ef4 https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b#diff-d3bb3391c79904494c60ee2ac2f33070 https://github.com/roundcube/roundcubemail/releases/tag/1.3.15 https://github.com/roundcube/roundcubemail/releases/tag/1.4.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DAXK3565NYK4OEZVTW6S5LEVIDQEY2E https://li • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •