First published: Tue Nov 10 2015(Updated: )
Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
SUSE Linux | =13.1 | |
SUSE Linux | =13.2 | |
Roundcube | <=1.0.6 | |
Roundcube | =1.1.0 | |
Roundcube | =1.1.1 | |
Roundcube | =1.1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2015-8105 is classified as a medium severity vulnerability due to its potential for cross-site scripting (XSS).
To fix CVE-2015-8105, upgrade Roundcube webmail to version 1.0.7 or 1.1.3 or later.
CVE-2015-8105 is a cross-site scripting (XSS) vulnerability that allows for script injection in file uploads.
CVE-2015-8105 affects Roundcube webmail versions prior to 1.0.7 and 1.1.x before 1.1.3.
Yes, remote authenticated users can exploit CVE-2015-8105 to inject arbitrary web scripts through file names in drag-and-drop uploads.