CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2016-4069
https://notcve.org/view.php?id=CVE-2016-4069
25 Aug 2016 — Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors. Vulnerabilidad de CSRF en Roundcube Webmail en versiones anteriores a1.1.5 permite a atacantes remotos secuestrar la autenticación de usuarios para peticiones que descargan archivos adjuntos y provocar una denegación del servicio (consumo del disco) a tra... • http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2015-8793
https://notcve.org/view.php?id=CVE-2015-8793
29 Jan 2016 — Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than CVE-2011-2937. Vulnerabilidad de XSS en program/include/rcmail.php en Roundcube en versiones anteriores a 1.0.6 y 1.1.x en versiones anteriores a 1.1.2 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a t... • http://trac.roundcube.net/ticket/1490417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2015-8794
https://notcve.org/view.php?id=CVE-2015-8794
29 Jan 2016 — Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling. Vulnerabilidad de salto de ruta absoluta en program/steps/addressbook/photo.inc en Roundcube en versiones anteriores a 1.0.6 y 1.1.x en versiones anteriores a 1.1.2 permite a usuarios remotos autenticados leer archivos arbitrarios a través de un nomb... • http://trac.roundcube.net/changeset/6ccd4c54b/github • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 35%CPEs: 5EXPL: 4CVE-2015-8770 – Roundcube Webmail 1.1.3 - Directory Traversal
https://notcve.org/view.php?id=CVE-2015-8770
15 Jan 2016 — Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php. Vulnerabilidad de salto de directorio en la función set_skin en program/include/rcmail_output_html.php en Roundcube en versiones anteriores a 1.0.8 y 1.1.x en versiones anteriores a 1.1.4 ... • https://packetstorm.news/files/id/135274 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: 6EXPL: 0CVE-2015-8105
https://notcve.org/view.php?id=CVE-2015-8105
10 Nov 2015 — Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload. Vulnerabilidad de XSS en program/js/app.js en Roundcube webmail en versiones anteriores a 1.0.7 y 1.1.x en versiones anteriores a 1.1.3 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del nombre de archivo en una sub... • http://lists.opensuse.org/opensuse-updates/2015-11/msg00030.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 1CVE-2015-1433
https://notcve.org/view.php?id=CVE-2015-1433
03 Feb 2015 — program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email. program/lib/Roundcube/rcube_washtml.php en Roundcube anterior a 1.0.5 no cita correctamente las cadenas, lo que permite a atacantes remotos realizar ataques de XSS a través del atributo de estilo en un email. • http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149877.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 3%CPEs: 1EXPL: 0CVE-2014-9587
https://notcve.org/view.php?id=CVE-2014-9587
15 Jan 2015 — Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins. Múltiples vulnerabilidades de CSRF en Roundcube Webmail anterior a 1.0.4 permite a atacantes remotos secuestrar la autenticación de victimas no especificadas a través de vectores no especificadas, relacionado con (1) operaciones del libro de... • http://roundcube.net/news/2014/12/18/update-1.0.4-released • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 44EXPL: 0CVE-2013-1904
https://notcve.org/view.php?id=CVE-2013-1904
08 Feb 2014 — Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploited in the wild in March 2013. Vulnerabilidad de recorrido de directorio absoluto en steps/mail/sendmail.inc en Roundcube Webmail anterior a 0.7.3 y 0.8.x anterior a 0.8.6 permite a atacantes remotos leer archivos ... • http://habrahabr.ru/post/174423 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 1%CPEs: 54EXPL: 0CVE-2013-6172 – Mandriva Linux Security Advisory 2013-263
https://notcve.org/view.php?id=CVE-2013-6172
28 Oct 2013 — steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code. steps/utils/save_pref.inc en Roundcube webmail anterior a la versión 0.8.7 y 0.9.x anterior a 0.9.5 permite a atacantes remotos modificar las opciones de configuración a través del parámetro _session, que se puede aprovechar para leer ar... • http://lists.opensuse.org/opensuse-updates/2014-03/msg00035.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2013-5646
https://notcve.org/view.php?id=CVE-2013-5646
29 Aug 2013 — Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated users to inject arbitrary web script or HTML via the Name field of an addressbook group. Vulnerabilidad Cross-site scripting (XSS) en Roundcube webmail v1.0-git, permite a usuarios autenticados remotamente inyectar secuencias de comandos web o HTML arbitrarias a través del campo "Name" de un grupo de la libreta de direcciones. • http://trac.roundcube.net/ticket/1489251 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •