CVSS: 7.5EPSS: 2%CPEs: 5EXPL: 1CVE-2024-42010 – Debian Security Advisory 5743-1
https://notcve.org/view.php?id=CVE-2024-42010
05 Aug 2024 — mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information. mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information. An update that fixes three vulnerabilities is now availab... • https://github.com/victoni/Roundcube-CVE-2024-42008-and-CVE-2024-42010-POC • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 4%CPEs: 2EXPL: 0CVE-2024-37385
https://notcve.org/view.php?id=CVE-2024-37385
07 Jun 2024 — Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641. Roundcube Webmail anterior a 1.5.7 y 1.6.x anterior a 1.6.7 en Windows permite la inyección de comandos a través de im_convert_path e im_identify_path. NOTA: este problema existe debido a una solución incompleta para CVE-2020-12641. • https://github.com/roundcube/roundcubemail/commit/5ea9f37ce39374b6124586c0590fec7015d35d7f • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-37384 – Ubuntu Security Notice USN-6848-1
https://notcve.org/view.php?id=CVE-2024-37384
07 Jun 2024 — Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences. Roundcube Webmail anterior a 1.5.7 y 1.6.x anterior a 1.6.7 permite XSS a través de columnas de lista de las preferencias del usuario. Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly handled certain SVG images. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 2... • https://github.com/roundcube/roundcubemail/commit/cde4522c5c95f13c6aeeb1600ab17e5067a536f7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 5EXPL: 0CVE-2021-46144 – Debian Security Advisory 5037-1
https://notcve.org/view.php?id=CVE-2021-46144
06 Jan 2022 — Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences. Roundcube versiones anteriores a 1.4.13 y versiones 1.5.x anteriores a 1.5.2, permite una vulnerabilidad de tipo XSS por medio de un mensaje de correo electrónico HTML con secuencias de tokens de hojas de estilo en cascada (CSS) diseñadas. It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messa... • https://bugs.debian.org/1003027 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 1%CPEs: 5EXPL: 0CVE-2015-5382
https://notcve.org/view.php?id=CVE-2015-5382
23 May 2017 — program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard. program/steps/addressbook/photo.inc en Roundcube Webmail, en versiones anteriores a la 1.0.6 y 1.1.x anteriores a la 1.1.2, permitiría a usuarios remotos autenticados leer ficheros arbitrarios a través del parámetro _alt parameter cuando cargamos una vCard. • http://www.openwall.com/lists/oss-security/2015/07/07/2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 2%CPEs: 4EXPL: 0CVE-2015-5381
https://notcve.org/view.php?id=CVE-2015-5381
23 May 2017 — Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI. Vulnerabilidad de tipo Cross-site scripting (XSS) en program/include/rcmail.php en Roundcube Webmail, versiones 1.1.x anteriores a la 1.1.2, que permitiría a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través del parámetro _mbox en la URI por defecto. • http://trac.roundcube.net/ticket/1490417 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0CVE-2015-5383
https://notcve.org/view.php?id=CVE-2015-5383
23 May 2017 — Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory. Roundcube Webmail versiones 1.1.x anteriores a la 1.1.2, permitiría a atacantes remotos obtener información sensible a través de la lectura de ficheros en los directorios (1) config, (2) temp, o (3) logs. • http://www.openwall.com/lists/oss-security/2015/07/07/2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2015-8864
https://notcve.org/view.php?id=CVE-2015-8864
13 Apr 2017 — Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068. La vulnerabilidad XSS en Roundcube Webmail en versiones anteriores a 1.0.9 y 1.1.x en versiones anteriores a 1.1.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de un SVG manipulado, una vulnerabilidad diferente a CVE-2016-4068. • http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2016-4068
https://notcve.org/view.php?id=CVE-2016-4068
13 Apr 2017 — Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864. Vulnerabilidad XSS en Roundcube Webmail en versiones anteriores a 1.0.9 y 1.1.x en versiones anteriores a 1.1.5 permite a atacantes remotos inyectar scripts web o HTML a través de un SVG manipulado, una vulnerabilidad diferente a CVE-2015-8864. • http://lists.opensuse.org/opensuse-updates/2016-08/msg00078.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2015-8794
https://notcve.org/view.php?id=CVE-2015-8794
29 Jan 2016 — Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling. Vulnerabilidad de salto de ruta absoluta en program/steps/addressbook/photo.inc en Roundcube en versiones anteriores a 1.0.6 y 1.1.x en versiones anteriores a 1.1.2 permite a usuarios remotos autenticados leer archivos arbitrarios a través de un nomb... • http://trac.roundcube.net/changeset/6ccd4c54b/github • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •