Page 2 of 31 results (0.008 seconds)

CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0

09 Jun 2020 — An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.3.12. En el archivo include/rcmail_output_html.php permite un ataque de tipo XSS por medio del objeto de plantilla de nombre de usuario Matei Badanoiu and LoRexxar@knownsec discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process ... • https://github.com/roundcube/roundcubemail/commit/37e2bc745723ef6322f0f785aefd0b9313a40f19 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.3EPSS: 5%CPEs: 6EXPL: 2

09 Jun 2020 — An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.3.12. Se presenta una vulnerabilidad de tipo XSS por medio de un archivo adjunto XML malicioso porque text/xml se encuentra entre los tipos permitidos para una vista previa Matei Badanoiu and LoRexxar@knownsec discovered that roundcube, a skinnable AJAX bas... • https://github.com/mbadanoiu/CVE-2020-13965 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •

CVSS: 9.8EPSS: 1%CPEs: 7EXPL: 2

04 May 2020 — Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php. Roundcube Webmail versiones anteriores a la versión 1.4.4, permite a atacantes incluir archivos locales y ejecutar código por medio de un salto de directorio en un nombre de plugin en archivo rcube_plugin_api.php. • https://github.com/mbadanoiu/CVE-2020-12640 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.8EPSS: 23%CPEs: 7EXPL: 2

04 May 2020 — rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. El archivo rcube_image.php en Roundcube Webmail versiones anteriores a la versión 1.4.4, permite a atacantes ejecutar código arbitrario por medio de metacaracteres de shell en un ajuste de configuración para im_convert_path o im_identify_path. Roundcube Webmail contains an remote code execution vulnerability that allows atta... • https://github.com/mbadanoiu/CVE-2020-12641 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 2

04 May 2020 — An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.4.4. Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo rcube_washtml.php porque el código JavaScript puede aparecer en el CDATA de un mensaje HTML. It was discovered that roundcube, a skinnable AJAX based webmail s... • https://github.com/mbadanoiu/CVE-2020-12625 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 2%CPEs: 3EXPL: 1

04 May 2020 — An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.4.4. Un ataque de tipo CSRF puede causar que un usuario autenticado cierre sesión porque POST no se consideró. It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. • https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

20 Mar 2020 — RainLoop Webmail before 1.13.0 lacks XSS protection mechanisms such as xlink:href validation, the X-XSS-Protection header, and the Content-Security-Policy header. RainLoop Webmail versiones anteriores a 1.13.0, carece de mecanismos de protección de XSS, tal y como xlink: comprobación de href, el encabezado X-XSS-Protection y el encabezado Content-Security-Policy. • https://github.com/RainLoop/rainloop-webmail/commit/8eb4588917b4741889fdd905d4c32e3e86317693 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0

20 Aug 2019 — Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks. Roundcube Webmail versiones hasta 1.3.9, maneja inapropiadamente los nombres de dominio Punycode xn--, conllevando a ataques homográficos. • https://github.com/roundcube/roundcubemail/issues/6891 •

CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1

07 Apr 2019 — In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker. En Roundcube Webmail en versiones... • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html • CWE-319: Cleartext Transmission of Sensitive Information •

CVSS: 6.1EPSS: 38%CPEs: 2EXPL: 0

12 Nov 2018 — steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment. steps/mail/func.inc en Roundcube en versiones anteriores a la 1.3.8 tiene Cross-Site Scripting (XSS) mediante el uso manipulado de Aidan Marlin discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, is prone to a cross-site scripting vulnerability in handling invalid style tag content. • https://github.com/roundcube/roundcubemail/releases/tag/1.3.8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •