First published: Mon Nov 12 2018(Updated: )
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Roundcube Webmail | <1.3.8 | |
Debian Debian Linux | =9.0 | |
debian/roundcube | 1.3.17+dfsg.1-1~deb10u2 1.3.17+dfsg.1-1~deb10u3 1.4.14+dfsg.1-1~deb11u1 1.4.13+dfsg.1-1~deb11u1 1.6.3+dfsg-1~deb12u1 1.6.4+dfsg-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this vulnerability is CVE-2018-19206.
The severity of CVE-2018-19206 is medium with a severity value of 6.1.
The affected software is Roundcube Webmail versions up to (but not including) 1.3.8.
To fix CVE-2018-19206, update your Roundcube Webmail installation to version 1.3.8 or higher.
You can find more information about CVE-2018-19206 in the Roundcube news release and the GitHub issues and commit links provided: [Roundcube News Release](https://roundcube.net/news/2018/10/26/update-1.3.8-released), [GitHub Issues](https://github.com/roundcube/roundcubemail/issues/6410), [GitHub Commit](https://github.com/roundcube/roundcubemail/commit/102fbf1169116fef32a940b9fb1738bc45276059).