CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2020-15562
https://notcve.org/view.php?id=CVE-2020-15562
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.2.11, versiones 1.3.x anteriores a 1.3.14 y versiones 1.4.x anteriores a 1.4.7. Permite un ataque de tipo XSS por medio de un mensaje de correo electrónico HTML diseñado, como es demostrado por una carga útil de JavaScript en el atributo xmlns (también se conoce como espacio de nombres XML) de un elemento HEAD cuando se presenta un elemento SVG • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html https://github.com/roundcube/roundcubemail/commit/3e8832d029b035e3fcfb4c75839567a9580b4f82 https://github.com/roundcube/roundcubemail/releases/tag/1.2.11 https://github.com/roundcube/roundcubemail/releases/tag/1.3.14 https://github.com/roundcube/roundcubemail/releases/tag/1.4.7 https://www.debian.org/security/2020/dsa-4720 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 5%CPEs: 6EXPL: 0CVE-2020-13964
https://notcve.org/view.php?id=CVE-2020-13964
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.3.12. En el archivo include/rcmail_output_html.php permite un ataque de tipo XSS por medio del objeto de plantilla de nombre de usuario • https://github.com/roundcube/roundcubemail/commit/37e2bc745723ef6322f0f785aefd0b9313a40f19 https://github.com/roundcube/roundcubemail/releases/tag/1.3.12 https://github.com/roundcube/roundcubemail/releases/tag/1.4.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLESQ4LPJGMSWHQ4TBRTVQRDG7IXAZCW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODPJXBHZ32QSP4MYT2OBCALYXSUJ47SK https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 2CVE-2020-13965 – Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2020-13965
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.3.12. Se presenta una vulnerabilidad de tipo XSS por medio de un archivo adjunto XML malicioso porque text/xml se encuentra entre los tipos permitidos para una vista previa Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment. • https://github.com/mbadanoiu/CVE-2020-13965 https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-13965-Cross%20Site-Scripting%20via%20Malicious%20XML%20Attachment-Roundcube https://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3 https://github.com/roundcube/roundcubemail/compare/1.4.4...1.4.5 https://github.com/roundcube/roundcubemail/releases/tag/1.3.12 https://github.com/roundcube/roundcubemail/releases/tag/1.4.5 https://lists.fedoraproject.org/archives/list/p • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13389
https://notcve.org/view.php?id=CVE-2019-13389
RainLoop Webmail before 1.13.0 lacks XSS protection mechanisms such as xlink:href validation, the X-XSS-Protection header, and the Content-Security-Policy header. RainLoop Webmail versiones anteriores a 1.13.0, carece de mecanismos de protección de XSS, tal y como xlink: comprobación de href, el encabezado X-XSS-Protection y el encabezado Content-Security-Policy. • https://github.com/RainLoop/rainloop-webmail/commit/8eb4588917b4741889fdd905d4c32e3e86317693 https://lists.debian.org/debian-lts-announce/2023/05/msg00027.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 2CVE-2010-4930 – @Mail 6.1.9 - 'MailType' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-4930
Cross-site scripting (XSS) vulnerability in index.php in @mail Webmail before 6.2.0 allows remote attackers to inject arbitrary web script or HTML via the MailType parameter in a mail/auth/processlogin action. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en index.php de @mail Webmail antes de v6.2.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro MailType en una acción mail/auth/processlogin • https://www.exploit-db.com/exploits/34690 http://osvdb.org/68183 http://secunia.com/advisories/41555 http://securityreason.com/securityalert/8455 http://www.securityfocus.com/archive/1/513890/100/0/threaded http://www.securityfocus.com/bid/43377 https://exchange.xforce.ibmcloud.com/vulnerabilities/61958 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •