Page 4 of 31 results (0.005 seconds)

CVSS: 6.5EPSS: 2%CPEs: 3EXPL: 1

An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.4.4. Un ataque de tipo CSRF puede causar que un usuario autenticado cierre sesión porque POST no se consideró. • https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6 https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4 https://github.com/roundcube/roundcubemail/pull/7302 https://github.com/roundcube/roundcubemail/releases/tag/1.4.4 https://security.gentoo.org/glsa/202007-41 https://www.debian.org/security/2020/dsa-4674 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

RainLoop Webmail before 1.13.0 lacks XSS protection mechanisms such as xlink:href validation, the X-XSS-Protection header, and the Content-Security-Policy header. RainLoop Webmail versiones anteriores a 1.13.0, carece de mecanismos de protección de XSS, tal y como xlink: comprobación de href, el encabezado X-XSS-Protection y el encabezado Content-Security-Policy. • https://github.com/RainLoop/rainloop-webmail/commit/8eb4588917b4741889fdd905d4c32e3e86317693 https://lists.debian.org/debian-lts-announce/2023/05/msg00027.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0

Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks. Roundcube Webmail versiones hasta 1.3.9, maneja inapropiadamente los nombres de dominio Punycode xn--, conllevando a ataques homográficos. • https://github.com/roundcube/roundcubemail/issues/6891 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5 •

CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1

In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker. En Roundcube Webmail en versiones anteriores a la 1.3.10, un atacante en posesión de correos electrónicos cifrados S/MIME o PGP puede envolverlos como subparte dentro de un correo electrónico multiparte diseñado. • http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html https://github.com/roundcube/roundcubemail/issues/6638 https://github.com/roundcube/roundcubemail/releases/tag/1.3.10 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5 • CWE-319: Cleartext Transmission of Sensitive Information •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php. Roundcube en versiones anteriores a la 1.3.7 gestiona de manera incorrecta las advertencias de integridad/protección GnuPG MDC, lo que facilita que los atacantes obtengan información sensible. Esto está relacionado con CVE-2017-17688. Esto está asociado con plugins/enigma/lib/enigma_driver_gnupg.php. • https://github.com/roundcube/roundcubemail/releases/tag/1.3.7 https://roundcube.net/news/2018/07/27/update-1.3.7-released • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •