CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 1CVE-2015-2180
https://notcve.org/view.php?id=CVE-2015-2180
30 Jan 2017 — The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password. El controlador DBMail en el complemento Password de Roundcube en versiones anteriores a 1.1.0 permite a atacantes remotos ejecutar comandos arbitrarios a través de los metacaracteres de shell en la contraseña. • http://www.securityfocus.com/bid/96387 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 44%CPEs: 4EXPL: 2CVE-2016-9920 – Gentoo Linux Security Advisory 201612-44
https://notcve.org/view.php?id=CVE-2016-9920
08 Dec 2016 — steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message. steps/mail/sendmail.inc en Roundcube en versiones anteriores a 1.1.7 y 1.2.x en versiones anteriores a 1.2.3, cuando ningún servidor SMTP... • https://github.com/t0kx/exploit-CVE-2016-9920 • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2016-4069
https://notcve.org/view.php?id=CVE-2016-4069
25 Aug 2016 — Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors. Vulnerabilidad de CSRF en Roundcube Webmail en versiones anteriores a1.1.5 permite a atacantes remotos secuestrar la autenticación de usuarios para peticiones que descargan archivos adjuntos y provocar una denegación del servicio (consumo del disco) a tra... • http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2015-8793
https://notcve.org/view.php?id=CVE-2015-8793
29 Jan 2016 — Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than CVE-2011-2937. Vulnerabilidad de XSS en program/include/rcmail.php en Roundcube en versiones anteriores a 1.0.6 y 1.1.x en versiones anteriores a 1.1.2 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a t... • http://trac.roundcube.net/ticket/1490417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2015-8105
https://notcve.org/view.php?id=CVE-2015-8105
10 Nov 2015 — Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload. Vulnerabilidad de XSS en program/js/app.js en Roundcube webmail en versiones anteriores a 1.0.7 y 1.1.x en versiones anteriores a 1.1.3 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del nombre de archivo en una sub... • http://lists.opensuse.org/opensuse-updates/2015-11/msg00030.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 1CVE-2015-1433
https://notcve.org/view.php?id=CVE-2015-1433
03 Feb 2015 — program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email. program/lib/Roundcube/rcube_washtml.php en Roundcube anterior a 1.0.5 no cita correctamente las cadenas, lo que permite a atacantes remotos realizar ataques de XSS a través del atributo de estilo en un email. • http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149877.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 3%CPEs: 1EXPL: 0CVE-2014-9587
https://notcve.org/view.php?id=CVE-2014-9587
15 Jan 2015 — Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins. Múltiples vulnerabilidades de CSRF en Roundcube Webmail anterior a 1.0.4 permite a atacantes remotos secuestrar la autenticación de victimas no especificadas a través de vectores no especificadas, relacionado con (1) operaciones del libro de... • http://roundcube.net/news/2014/12/18/update-1.0.4-released • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 1%CPEs: 54EXPL: 0CVE-2013-6172 – Mandriva Linux Security Advisory 2013-263
https://notcve.org/view.php?id=CVE-2013-6172
28 Oct 2013 — steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code. steps/utils/save_pref.inc en Roundcube webmail anterior a la versión 0.8.7 y 0.9.x anterior a 0.9.5 permite a atacantes remotos modificar las opciones de configuración a través del parámetro _session, que se puede aprovechar para leer ar... • http://lists.opensuse.org/opensuse-updates/2014-03/msg00035.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2013-5646
https://notcve.org/view.php?id=CVE-2013-5646
29 Aug 2013 — Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated users to inject arbitrary web script or HTML via the Name field of an addressbook group. Vulnerabilidad Cross-site scripting (XSS) en Roundcube webmail v1.0-git, permite a usuarios autenticados remotamente inyectar secuencias de comandos web o HTML arbitrarias a través del campo "Name" de un grupo de la libreta de direcciones. • http://trac.roundcube.net/ticket/1489251 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 52EXPL: 3CVE-2013-5645 – Mandriva Linux Security Advisory 2013-226
https://notcve.org/view.php?id=CVE-2013-5645
18 Jul 2013 — Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject arbitrary web script or HTML via the body of a message visited in (1) new or (2) draft mode, related to compose.inc; and (3) might allow remote authenticated users to inject arbitrary web script or HTML via an HTML signature, related to save_identity.inc. Múltiples vulnerabilidades de cross-site scripting (XSS) en Roundcube webmail anterior a v0.9.3, permite a atacantes remoto... • https://packetstorm.news/files/id/122462 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •