CVE-2012-3508

Roundcube Webmail 0.8.0 - Persistent Cross-Site Scripting

Severity Score

4.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email.

Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzandos (XSS) en program/lib/washtml.php en Roundcube Webmail v0.8.0, permite a atacantes remotos inyectar secuencias de comandos web o HTML usando "javascript:" en un atributo href en el cuerpo de un correo electrónico formateado en HTML.

*Credits: N/A

CVSS Scores

NISTv2 4.3

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2012-06-14 CVE Reserved
2012-08-16 First Exploit
2012-08-25 CVE Published
2023-03-07 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (8)

URL	Tag	Source
http://sourceforge.net/news/?group_id=139281&id=309011	X_refsource_confirm
http://trac.roundcube.net/ticket/1488613	X_refsource_confirm
http://www.openwall.com/lists/oss-security/2012/08/20/2	Mailing List
http://www.openwall.com/lists/oss-security/2012/08/20/9	Mailing List
http://www.securelist.com/en/advisories/50279	X_refsource_misc

URL	Date	SRC
https://www.exploit-db.com/exploits/20549	2012-08-16

URL	Date	SRC
https://github.com/roundcube/roundcubemail/commit/5ef8e4ad9d3ee8689d2b83750aa65395b7cd59ee	2012-08-29

URL	Date	SRC
http://secunia.com/advisories/50279	2012-08-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Roundcube Search vendor "Roundcube"		Webmail Search vendor "Roundcube" for product "Webmail"				0.8.0 Search vendor "Roundcube" for product "Webmail" and version "0.8.0"		-		Affected