CVSS: 3.5EPSS: 0%CPEs: 6EXPL: 0CVE-2015-8105
https://notcve.org/view.php?id=CVE-2015-8105
Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload. Vulnerabilidad de XSS en program/js/app.js en Roundcube webmail en versiones anteriores a 1.0.7 y 1.1.x en versiones anteriores a 1.1.3 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del nombre de archivo en una subida de archivo de arrastrar y pegar. • http://lists.opensuse.org/opensuse-updates/2015-11/msg00030.html http://trac.roundcube.net/changeset/dd7db2179/github http://trac.roundcube.net/ticket/1490530 https://security.gentoo.org/glsa/201603-03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2015-1433
https://notcve.org/view.php?id=CVE-2015-1433
program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email. program/lib/Roundcube/rcube_washtml.php en Roundcube anterior a 1.0.5 no cita correctamente las cadenas, lo que permite a atacantes remotos realizar ataques de XSS a través del atributo de estilo en un email. • http://lists.fedoraproject.org/pipermail/package-announce/2015-February/149877.html http://lists.opensuse.org/opensuse-updates/2015-02/msg00064.html http://roundcube.net/news/2015/01/24/security-update-1.0.5 http://trac.roundcube.net/changeset/786aa0725/github http://trac.roundcube.net/ticket/1490227 http://www.openwall.com/lists/oss-security/2015/01/31/3 http://www.openwall.com/lists/oss-security/2015/01/31/6 http://www.securityfocus.com/bid/72401 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-9587
https://notcve.org/view.php?id=CVE-2014-9587
Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins. Múltiples vulnerabilidades de CSRF en Roundcube Webmail anterior a 1.0.4 permite a atacantes remotos secuestrar la autenticación de victimas no especificadas a través de vectores no especificadas, relacionado con (1) operaciones del libro de direcciones o los plugins (2) ACL o (3) Managesieve. • http://roundcube.net/news/2014/12/18/update-1.0.4-released http://www.openwall.com/lists/oss-security/2015/01/11/3 http://www.securityfocus.com/bid/71909 https://bugs.gentoo.org/show_bug.cgi?id=534766 https://bugzilla.redhat.com/show_bug.cgi?id=1179780 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 1CVE-2013-5646
https://notcve.org/view.php?id=CVE-2013-5646
Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated users to inject arbitrary web script or HTML via the Name field of an addressbook group. Vulnerabilidad Cross-site scripting (XSS) en Roundcube webmail v1.0-git, permite a usuarios autenticados remotamente inyectar secuencias de comandos web o HTML arbitrarias a través del campo "Name" de un grupo de la libreta de direcciones. • http://trac.roundcube.net/ticket/1489251 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 2CVE-2010-4930 – @Mail 6.1.9 - 'MailType' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-4930
Cross-site scripting (XSS) vulnerability in index.php in @mail Webmail before 6.2.0 allows remote attackers to inject arbitrary web script or HTML via the MailType parameter in a mail/auth/processlogin action. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en index.php de @mail Webmail antes de v6.2.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro MailType en una acción mail/auth/processlogin • https://www.exploit-db.com/exploits/34690 http://osvdb.org/68183 http://secunia.com/advisories/41555 http://securityreason.com/securityalert/8455 http://www.securityfocus.com/archive/1/513890/100/0/threaded http://www.securityfocus.com/bid/43377 https://exchange.xforce.ibmcloud.com/vulnerabilities/61958 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •