CVSS: 9.4EPSS: 8%CPEs: 5EXPL: 1CVE-2024-42008 – Debian Security Advisory 5743-1
https://notcve.org/view.php?id=CVE-2024-42008
05 Aug 2024 — A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. Multiple cross-site scripting vulnerabilities were discovered in RoundCube webmail. • https://github.com/victoni/Roundcube-CVE-2024-42008-and-CVE-2024-42010-POC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.4EPSS: 49%CPEs: 5EXPL: 2CVE-2024-42009 – Debian Security Advisory 5743-1
https://notcve.org/view.php?id=CVE-2024-42009
05 Aug 2024 — A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. Multiple cross-site scripting vulnerabilities were discovered in RoundCube webmail. • https://github.com/0xbassiouny1337/CVE-2024-42009 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 83%CPEs: 3EXPL: 3CVE-2024-37383 – RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2024-37383
07 Jun 2024 — Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. Roundcube Webmail anterior a 1.5.7 y 1.6.x anterior a 1.6.7 permite XSS a través de atributos animados SVG. Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly handled certain SVG images. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. • https://packetstorm.news/files/id/182334 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-37384 – Ubuntu Security Notice USN-6848-1
https://notcve.org/view.php?id=CVE-2024-37384
07 Jun 2024 — Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences. Roundcube Webmail anterior a 1.5.7 y 1.6.x anterior a 1.6.7 permite XSS a través de columnas de lista de las preferencias del usuario. Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly handled certain SVG images. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 2... • https://github.com/roundcube/roundcubemail/commit/cde4522c5c95f13c6aeeb1600ab17e5067a536f7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-47272 – Ubuntu Security Notice USN-6848-1
https://notcve.org/view.php?id=CVE-2023-47272
05 Nov 2023 — Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). Roundcube 1.5.x anterior a 1.5.6 y 1.6.x anterior a 1.6.5 permite XSS a través de un encabezado Content-Type o Content-Disposition (utilizado para la vista previa o descarga de archivos adjuntos). Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly handled certain SVG images. A remote attacker could possibly use this issue to load arbit... • https://github.com/roundcube/roundcubemail/commit/5ec496885e18ec6af956e8c0d627856c2257ba2d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 63%CPEs: 7EXPL: 2CVE-2023-5631 – Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2023-5631
18 Oct 2023 — Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. Roundcube anterior a 1.4.15, 1.5.x anterior a 1.5.5 y 1.6.x anterior a 1.6.4 permiten almacenar XSS a través de un mensaje de correo electrónico HTML con un documento SVG manipulado debido al comportamiento de program/lib/Roundcube/rcube_wa... • https://github.com/soreta2/CVE-2023-5631-POC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 76%CPEs: 4EXPL: 2CVE-2023-43770 – Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2023-43770
22 Sep 2023 — Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. Roundcube anterior a 1.4.14, 1.5.x anterior a 1.5.4 y 1.6.x anterior a 1.6.3 permiten XSS a través de mensajes de texto/correo electrónico plano con enlaces manipuados debido al comportamiento de program/lib/Roundcube/rcube_string_replacer.php. It was discovered that Roundcube Webmail incorrectly sanitized charac... • https://github.com/s3cb0y/CVE-2023-43770-POC • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2021-44025 – Debian Security Advisory 5013-1
https://notcve.org/view.php?id=CVE-2021-44025
19 Nov 2021 — Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message. Roundcube versiones anteriores a 1.3.17 y versiones 1.4.x anteriores a 1.4.12, es propenso a un ataque de tipo XSS en el manejo de la extensión del nombre del archivo adjunto cuando se muestra un mensaje de advertencia de tipo MIME It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize reques... • https://bugs.debian.org/1000156 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 72%CPEs: 7EXPL: 1CVE-2021-44026 – Roundcube Webmail SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2021-44026
19 Nov 2021 — Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. Roundcube versiones anteriores a 1.3.17 y versiones 1.4.x anteriores a 1.4.12, es propenso a una potencial inyección SQL por medio de los parámetros search o search_params It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize requests and mail messages. This would allow an attacker to perform Cross-Side Scripting (XSS) or SQL injec... • https://github.com/pentesttoolscom/roundcube-cve-2021-44026 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-18671
https://notcve.org/view.php?id=CVE-2020-18671
24 Jun 2021 — Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en Roundcube Mail versiones anteriores a 1.4.4 incluyéndola, por medio del parámetro smtp config en el archivo /installer/test.php • https://github.com/roundcube/roundcubemail/issues/7406 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •