CVE-2020-35730
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
YesDecision
Descriptions
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
Se detectó un problema de XSS en Roundcube Webmail en versiones anteriores a la 1.2.13, 1.3.x en versiones anteriores a la 1.3.16 y 1.4.x en versiones anteriores a la 1.4.10. El atacante puede enviar un mensaje de correo electrónico de texto sin formato, con JavaScript en un elemento de referencia de enlace que es manejado inapropiadamente por linkref_addindex en rcube_string_replacer.php.
Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-12-27 CVE Reserved
- 2020-12-28 CVE Published
- 2023-06-22 Exploited in Wild
- 2023-07-13 KEV Due Date
- 2024-08-04 CVE Updated
- 2024-11-01 EPSS Updated
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491 | Issue Tracking | |
| https://github.com/roundcube/roundcubemail/releases/tag/1.2.13 | Release Notes | |
| https://github.com/roundcube/roundcubemail/releases/tag/1.3.16 | Release Notes | |
| https://github.com/roundcube/roundcubemail/releases/tag/1.4.10 | Release Notes | |
| https://roundcube.net/download | Product | |
| https://www.alexbirnberg.com/roundcube-xss.html | Broken Link |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10 | 2024-06-27 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | < 1.2.13 Search vendor "Roundcube" for product "Webmail" and version " < 1.2.13" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | >= 1.3.0 < 1.3.16 Search vendor "Roundcube" for product "Webmail" and version " >= 1.3.0 < 1.3.16" | - |
Affected
| ||||||
| Roundcube Search vendor "Roundcube" | Webmail Search vendor "Roundcube" for product "Webmail" | >= 1.4 < 1.4.10 Search vendor "Roundcube" for product "Webmail" and version " >= 1.4 < 1.4.10" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||