CVSS: 6.1EPSS: 5%CPEs: 6EXPL: 0CVE-2020-13964
https://notcve.org/view.php?id=CVE-2020-13964
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.3.12. En el archivo include/rcmail_output_html.php permite un ataque de tipo XSS por medio del objeto de plantilla de nombre de usuario • https://github.com/roundcube/roundcubemail/commit/37e2bc745723ef6322f0f785aefd0b9313a40f19 https://github.com/roundcube/roundcubemail/releases/tag/1.3.12 https://github.com/roundcube/roundcubemail/releases/tag/1.4.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLESQ4LPJGMSWHQ4TBRTVQRDG7IXAZCW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODPJXBHZ32QSP4MYT2OBCALYXSUJ47SK https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 2CVE-2020-13965 – Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2020-13965
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.3.12. Se presenta una vulnerabilidad de tipo XSS por medio de un archivo adjunto XML malicioso porque text/xml se encuentra entre los tipos permitidos para una vista previa Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment. • https://github.com/mbadanoiu/CVE-2020-13965 https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-13965-Cross%20Site-Scripting%20via%20Malicious%20XML%20Attachment-Roundcube https://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3 https://github.com/roundcube/roundcubemail/compare/1.4.4...1.4.5 https://github.com/roundcube/roundcubemail/releases/tag/1.3.12 https://github.com/roundcube/roundcubemail/releases/tag/1.4.5 https://lists.fedoraproject.org/archives/list/p • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 2CVE-2020-12625
https://notcve.org/view.php?id=CVE-2020-12625
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.4.4. Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo rcube_washtml.php porque el código JavaScript puede aparecer en el CDATA de un mensaje HTML. • https://github.com/mbadanoiu/CVE-2020-12625 http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12625-Cross%20Site-Scripting%20via%20Malicious%20HTML%20Attachment-Roundcube https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b94e5c75d2b7686d0 https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4 https://github.com/roundcube/roundcubemail/releases/tag/1.4.4 https://security.gentoo.org/glsa/2020 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 2%CPEs: 3EXPL: 1CVE-2020-12626
https://notcve.org/view.php?id=CVE-2020-12626
An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.4.4. Un ataque de tipo CSRF puede causar que un usuario autenticado cierre sesión porque POST no se consideró. • https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6 https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4 https://github.com/roundcube/roundcubemail/pull/7302 https://github.com/roundcube/roundcubemail/releases/tag/1.4.4 https://security.gentoo.org/glsa/202007-41 https://www.debian.org/security/2020/dsa-4674 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13389
https://notcve.org/view.php?id=CVE-2019-13389
RainLoop Webmail before 1.13.0 lacks XSS protection mechanisms such as xlink:href validation, the X-XSS-Protection header, and the Content-Security-Policy header. RainLoop Webmail versiones anteriores a 1.13.0, carece de mecanismos de protección de XSS, tal y como xlink: comprobación de href, el encabezado X-XSS-Protection y el encabezado Content-Security-Policy. • https://github.com/RainLoop/rainloop-webmail/commit/8eb4588917b4741889fdd905d4c32e3e86317693 https://lists.debian.org/debian-lts-announce/2023/05/msg00027.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •