CVE-2020-12625
https://notcve.org/view.php?id=CVE-2020-12625
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.4.4. Se presenta una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo rcube_washtml.php porque el código JavaScript puede aparecer en el CDATA de un mensaje HTML. • https://github.com/mbadanoiu/CVE-2020-12625 http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12625-Cross%20Site-Scripting%20via%20Malicious%20HTML%20Attachment-Roundcube https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b94e5c75d2b7686d0 https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4 https://github.com/roundcube/roundcubemail/releases/tag/1.4.4 https://security.gentoo.org/glsa/2020 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-12626
https://notcve.org/view.php?id=CVE-2020-12626
An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered. Se detectó un problema en Roundcube Webmail versiones anteriores a 1.4.4. Un ataque de tipo CSRF puede causar que un usuario autenticado cierre sesión porque POST no se consideró. • https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6 https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4 https://github.com/roundcube/roundcubemail/pull/7302 https://github.com/roundcube/roundcubemail/releases/tag/1.4.4 https://security.gentoo.org/glsa/202007-41 https://www.debian.org/security/2020/dsa-4674 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2019-13389
https://notcve.org/view.php?id=CVE-2019-13389
RainLoop Webmail before 1.13.0 lacks XSS protection mechanisms such as xlink:href validation, the X-XSS-Protection header, and the Content-Security-Policy header. RainLoop Webmail versiones anteriores a 1.13.0, carece de mecanismos de protección de XSS, tal y como xlink: comprobación de href, el encabezado X-XSS-Protection y el encabezado Content-Security-Policy. • https://github.com/RainLoop/rainloop-webmail/commit/8eb4588917b4741889fdd905d4c32e3e86317693 https://lists.debian.org/debian-lts-announce/2023/05/msg00027.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-4930 – @Mail 6.1.9 - 'MailType' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-4930
Cross-site scripting (XSS) vulnerability in index.php in @mail Webmail before 6.2.0 allows remote attackers to inject arbitrary web script or HTML via the MailType parameter in a mail/auth/processlogin action. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en index.php de @mail Webmail antes de v6.2.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro MailType en una acción mail/auth/processlogin • https://www.exploit-db.com/exploits/34690 http://osvdb.org/68183 http://secunia.com/advisories/41555 http://securityreason.com/securityalert/8455 http://www.securityfocus.com/archive/1/513890/100/0/threaded http://www.securityfocus.com/bid/43377 https://exchange.xforce.ibmcloud.com/vulnerabilities/61958 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-1055 – Surgemail and WebMail 3.0 - 'Page' Remote Format String
https://notcve.org/view.php?id=CVE-2008-1055
Format string vulnerability in webmail.exe in NetWin SurgeMail 38k4 and earlier and beta 39a, and WebMail 3.1s and earlier, allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via format string specifiers in the page parameter. Vulnerabilidad de cadena de formato en webmail.exe de NetWin SurgeMail 38k4 y versiones anteriores y beta 39a, y WebMail 3.1s y versiones anteriores, permite a atacantes remotos provocar una denegación de servicio (caída del demonio) y posiblemente ejecutar código de su elección a través de cadenas de formato especificadas en el parámetro page. • https://www.exploit-db.com/exploits/31300 http://aluigi.altervista.org/adv/surgemailz-adv.txt http://secunia.com/advisories/29105 http://secunia.com/advisories/29137 http://securityreason.com/securityalert/3705 http://www.securityfocus.com/archive/1/488741/100/0/threaded http://www.securityfocus.com/bid/27990 http://www.securitytracker.com/id?1019500 http://www.vupen.com/english/advisories/2008/0678 https://exchange.xforce.ibmcloud.com/vulnerabilities/40833 • CWE-134: Use of Externally-Controlled Format String •