CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2015-8864
https://notcve.org/view.php?id=CVE-2015-8864
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068. La vulnerabilidad XSS en Roundcube Webmail en versiones anteriores a 1.0.9 y 1.1.x en versiones anteriores a 1.1.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de un SVG manipulado, una vulnerabilidad diferente a CVE-2016-4068. • http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18 https://github.com/roundcube/roundcubemail/issues/4949 https://github.com/roundcube/roundcubemail/releases/tag/1.0.9 https://github.com/roundcube/roundcubemail/releases/tag/1.1.5 https://github.com/roundcube/roundcubemail/wiki&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2016-4068
https://notcve.org/view.php?id=CVE-2016-4068
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864. Vulnerabilidad XSS en Roundcube Webmail en versiones anteriores a 1.0.9 y 1.1.x en versiones anteriores a 1.1.5 permite a atacantes remotos inyectar scripts web o HTML a través de un SVG manipulado, una vulnerabilidad diferente a CVE-2015-8864. • http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html http://lists.opensuse.org/opensuse-updates/2016-08/msg00095.html https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218 https://github.com/roundcube/roundcubemail/issues/4949 https://github.com/roundcube/roundcubemail/releases/tag/1.0.9 https://github.com/roundcube/roundcubemail/releases/tag/1.1.5 https://github.com/roundcube • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2017-6820
https://notcve.org/view.php?id=CVE-2017-6820
rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. rcube_utils.php en Roundcube en versiones anteriores a 1.1.8 y 1.2.x en versiones anteriores a 1.2.4 es susceptible a una vulnerabilidad de XSS a través una secuencia de tokens de CSS manipulada dentro de un elemento SVG. • http://www.securityfocus.com/bid/96817 https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4 https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305 https://github.com/roundcube/roundcubemail/releases/tag/1.1.8 https://github.com/roundcube/roundcubemail/releases/tag/1.2.4 https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124 https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 2CVE-2016-9920
https://notcve.org/view.php?id=CVE-2016-9920
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message. steps/mail/sendmail.inc en Roundcube en versiones anteriores a 1.1.7 y 1.2.x en versiones anteriores a 1.2.3, cuando ningún servidor SMTP está configurado y el programa sendmail está habilitado, no restringe adecuadamente el uso de direcciones personalizadas envelope-from en la línea de comando de sendmail, lo que permite a usuarios remotos autenticados ejecutar código arbitrario a través de una petición HTTP modificada que envía un mensaje de correo electrónico manipulado. • https://github.com/t0kx/exploit-CVE-2016-9920 http://www.openwall.com/lists/oss-security/2016/12/08/10 http://www.securityfocus.com/bid/94858 https://blog.ripstech.com/2016/roundcube-command-execution-via-email https://roundcube.net/news/2016/11/28/updates-1.2.3-and-1.1.7-released https://security.gentoo.org/glsa/201612-44 • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 11%CPEs: 2EXPL: 0CVE-2016-4069
https://notcve.org/view.php?id=CVE-2016-4069
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors. Vulnerabilidad de CSRF en Roundcube Webmail en versiones anteriores a1.1.5 permite a atacantes remotos secuestrar la autenticación de usuarios para peticiones que descargan archivos adjuntos y provocar una denegación del servicio (consumo del disco) a través de vectores no especificados. • http://lists.opensuse.org/opensuse-updates/2016-08/msg00079.html http://www.openwall.com/lists/oss-security/2016/04/23/4 http://www.securityfocus.com/bid/92654 https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5 https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53 https://github.com/roundcube/roundcubemail/issues/4957 https://github.com/roundcube/roundcubemail/releases/tag/1.1.5 https://github.com/roundcube/roundcubemail/wiki/Changelog#release- • CWE-352: Cross-Site Request Forgery (CSRF) •