First published: Wed Aug 12 2020(Updated: )
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Roundcube Webmail | <1.3.15 | |
Roundcube Webmail | >=1.4.0<1.4.8 | |
Fedoraproject Fedora | =31 | |
Fedoraproject Fedora | =32 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this issue is CVE-2020-16145.
CVE-2020-16145 has a severity value of 6.1, which is considered medium.
CVE-2020-16145 allows stored cross-site scripting (XSS) attacks in HTML messages displayed in Roundcube Webmail.
Roundcube Webmail versions up to and including 1.3.15 and versions from 1.4.0 up to and including 1.4.8 are affected.
CVE-2020-16145 has been fixed in Roundcube Webmail version 1.4.8 and 1.3.15. It is recommended to upgrade to these versions.