CVSS: 3.5EPSS: 0%CPEs: 6EXPL: 0CVE-2015-8105
https://notcve.org/view.php?id=CVE-2015-8105
Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload. Vulnerabilidad de XSS en program/js/app.js en Roundcube webmail en versiones anteriores a 1.0.7 y 1.1.x en versiones anteriores a 1.1.3 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del nombre de archivo en una subida de archivo de arrastrar y pegar. • http://lists.opensuse.org/opensuse-updates/2015-11/msg00030.html http://trac.roundcube.net/changeset/dd7db2179/github http://trac.roundcube.net/ticket/1490530 https://security.gentoo.org/glsa/201603-03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2015-1433
https://notcve.org/view.php?id=CVE-2015-1433
program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email. program/lib/Roundcube/rcube_washtml.php en Roundcube anterior a 1.0.5 no cita correctamente las cadenas, lo que permite a atacantes remotos realizar ataques de XSS a través del atributo de estilo en un email. • http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149877.html http://lists.opensuse.org/opensuse-updates/2015-02/msg00064.html http://roundcube.net/news/2015/01/24/security-update-1.0.5 http://trac.roundcube.net/changeset/786aa0725/github http://trac.roundcube.net/ticket/1490227 http://www.openwall.com/lists/oss-security/2015/01/31/3 http://www.openwall.com/lists/oss-security/2015/01/31/6 http://www.securityfocus.com/bid/72401 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-9587
https://notcve.org/view.php?id=CVE-2014-9587
Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins. Múltiples vulnerabilidades de CSRF en Roundcube Webmail anterior a 1.0.4 permite a atacantes remotos secuestrar la autenticación de victimas no especificadas a través de vectores no especificadas, relacionado con (1) operaciones del libro de direcciones o los plugins (2) ACL o (3) Managesieve. • http://roundcube.net/news/2014/12/18/update-1.0.4-released http://www.openwall.com/lists/oss-security/2015/01/11/3 http://www.securityfocus.com/bid/71909 https://bugs.gentoo.org/show_bug.cgi?id=534766 https://bugzilla.redhat.com/show_bug.cgi?id=1179780 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 2CVE-2010-4930 – @Mail 6.1.9 - 'MailType' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-4930
Cross-site scripting (XSS) vulnerability in index.php in @mail Webmail before 6.2.0 allows remote attackers to inject arbitrary web script or HTML via the MailType parameter in a mail/auth/processlogin action. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en index.php de @mail Webmail antes de v6.2.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro MailType en una acción mail/auth/processlogin • https://www.exploit-db.com/exploits/34690 http://osvdb.org/68183 http://secunia.com/advisories/41555 http://securityreason.com/securityalert/8455 http://www.securityfocus.com/archive/1/513890/100/0/threaded http://www.securityfocus.com/bid/43377 https://exchange.xforce.ibmcloud.com/vulnerabilities/61958 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 92%CPEs: 25EXPL: 2CVE-2008-1055 – Surgemail and WebMail 3.0 - 'Page' Remote Format String
https://notcve.org/view.php?id=CVE-2008-1055
Format string vulnerability in webmail.exe in NetWin SurgeMail 38k4 and earlier and beta 39a, and WebMail 3.1s and earlier, allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via format string specifiers in the page parameter. Vulnerabilidad de cadena de formato en webmail.exe de NetWin SurgeMail 38k4 y versiones anteriores y beta 39a, y WebMail 3.1s y versiones anteriores, permite a atacantes remotos provocar una denegación de servicio (caída del demonio) y posiblemente ejecutar código de su elección a través de cadenas de formato especificadas en el parámetro page. • https://www.exploit-db.com/exploits/31300 http://aluigi.altervista.org/adv/surgemailz-adv.txt http://secunia.com/advisories/29105 http://secunia.com/advisories/29137 http://securityreason.com/securityalert/3705 http://www.securityfocus.com/archive/1/488741/100/0/threaded http://www.securityfocus.com/bid/27990 http://www.securitytracker.com/id?1019500 http://www.vupen.com/english/advisories/2008/0678 https://exchange.xforce.ibmcloud.com/vulnerabilities/40833 • CWE-134: Use of Externally-Controlled Format String •