First published: Mon Dec 28 2020(Updated: )
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Roundcube Webmail | <1.2.13 | |
Roundcube Webmail | >=1.3.0<1.3.16 | |
Roundcube Webmail | >=1.4<1.4.10 | |
Fedoraproject Fedora | =32 | |
Fedoraproject Fedora | =33 | |
Debian Debian Linux | =9.0 | |
Roundcube email server | =1.4.14 | |
Roundcube email server | =1.5.x before 1.5.4 | |
Roundcube email server | =1.6.x before 1.6.3 | |
debian/roundcube | <=1.4.9+dfsg.1-1<=1.3.15+dfsg.1-1~deb10u1<=1.2.3+dfsg.1-4+deb9u7 | 1.4.10+dfsg.1-1 1.3.16+dfsg.1-1~deb10u1 |
Roundcube Roundcube Webmail | ||
debian/roundcube | 1.4.15+dfsg.1-1+deb11u4 1.6.5+dfsg-1+deb12u4 1.6.9+dfsg-1 1.6.9+dfsg-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
The vulnerability ID for the Roundcube Webmail cross-site scripting (XSS) vulnerability is CVE-2020-35730.
CVE-2020-35730 is a cross-site scripting (XSS) vulnerability in Roundcube Webmail that allows an attacker to send a plain text e-mail message with JavaScript in a link reference element.
Roundcube Webmail versions are affected by the CVE-2020-35730 vulnerability.
An attacker can exploit CVE-2020-35730 by sending a plain text e-mail message with JavaScript in a malformed link reference element.
You can find more information about CVE-2020-35730 on the Roundcube Webmail website.