Latest roundcube webmail Vulnerabilities

CVE-2023-47272
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
debian/roundcube<=1.6.4+dfsg-1<=1.6.4+dfsg-1~deb12u1<=1.4.15+dfsg.1-1~deb11u1
>=1.5.0<1.5.6
>=1.6.0<1.6.5
=37
=38
=39
and 4 more
CVE-2023-5631
Stored XSS vulnerability in Roundcube
debian/roundcube<=1.6.3+dfsg-1~deb12u1<=1.4.14+dfsg.1-1~deb11u1<=1.6.3+dfsg-2<=1.3.17+dfsg.1-1~deb10u3
debian/roundcube<=1.3.17+dfsg.1-1~deb10u2<=1.4.14+dfsg.1-1~deb11u1
Roundcube Webmail<1.4.15
Roundcube Webmail>=1.5.0<1.5.5
Roundcube Webmail>=1.6.0<1.6.4
Debian Debian Linux=10.0
and 7 more
CVE-2023-43770
Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability
Roundcube Webmail<1.4.14
Roundcube Webmail>=1.5.0<1.5.4
Roundcube Webmail>=1.6.0<1.6.3
Debian Debian Linux=10.0
Roundcube Webmail
Roundcube email server=1.4.14
and 9 more
CVE-2021-44026
Roundcube Webmail SQL Injection Vulnerability
Roundcube Webmail<1.3.17
Roundcube Webmail>=1.4.0<1.4.12
Fedoraproject Fedora=33
Fedoraproject Fedora=34
Debian Debian Linux=9.0
Debian Debian Linux=10.0
and 3 more
CVE-2021-44025
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
Roundcube Webmail<1.3.17
Roundcube Webmail>=1.4.0<1.4.12
Fedoraproject Fedora=33
Fedoraproject Fedora=34
Debian Debian Linux=9.0
Debian Debian Linux=10.0
and 2 more
CVE-2020-18671
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.
Roundcube Webmail<=1.4.4
CVE-2020-18670
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.
Roundcube Webmail=1.4.4
CVE-2021-26925
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
Roundcube Webmail<1.4.11
Fedoraproject Fedora=32
Fedoraproject Fedora=33
CVE-2020-35730
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
Roundcube Webmail<1.2.13
Roundcube Webmail>=1.3.0<1.3.16
Roundcube Webmail>=1.4<1.4.10
Fedoraproject Fedora=32
Fedoraproject Fedora=33
Debian Debian Linux=9.0
and 6 more
CVE-2020-16145
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
Roundcube Webmail<1.3.15
Roundcube Webmail>=1.4.0<1.4.8
Fedoraproject Fedora=31
Fedoraproject Fedora=32
CVE-2020-15562
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the...
debian/roundcube
debian/roundcube<=1.2.3+dfsg.1-4+deb9u5<=1.4.6+dfsg.1-3<=1.3.13+dfsg.1-1~deb10u1
Roundcube Webmail<1.2.11
Roundcube Webmail>=1.3.0<1.3.14
Roundcube Webmail>=1.4.0<1.4.7
Debian Debian Linux=10.0
CVE-2020-13965
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
debian/roundcube
debian/roundcube<=1.2.3+dfsg.1-4+deb9u4<=1.4.4+dfsg.1-1<=1.3.11+dfsg.1-1~deb10u1
Roundcube Webmail<1.3.12
Roundcube Webmail>=1.4.0<1.4.5
Debian Debian Linux=9.0
Debian Debian Linux=10.0
and 2 more
CVE-2020-13964
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.
debian/roundcube<=1.2.3+dfsg.1-4+deb9u4<=1.4.4+dfsg.1-1<=1.3.11+dfsg.1-1~deb10u1
debian/roundcube
Roundcube Webmail<1.3.12
Roundcube Webmail>=1.4.0<1.4.5
Fedoraproject Fedora=31
Fedoraproject Fedora=32
and 2 more
CVE-2020-12641
Roundcube Webmail Remote Code Execution Vulnerability
Roundcube Webmail>=1.2.0<1.2.10
Roundcube Webmail>=1.3.0<1.3.11
Roundcube Webmail>=1.4.0<1.4.4
openSUSE Backports SLE=15.0-sp1
openSUSE Backports SLE=15.0-sp2
openSUSE Leap=15.1
and 2 more
CVE-2020-12625
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.
debian/roundcube
debian/roundcube<=1.4.3+dfsg.1-1<=1.2.3+dfsg.1-4+deb9u3<=1.3.10+dfsg.1-1~deb10u1
Roundcube Webmail<1.4.4
Debian Debian Linux=9.0
Debian Debian Linux=10.0
openSUSE Backports SLE=15.0-sp1
and 3 more
CVE-2018-19206
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
Roundcube Webmail<1.3.8
Debian Debian Linux=9.0
debian/roundcube
CVE-2018-19205
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated wi...
Roundcube Webmail<1.3.7

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203