Roundcube: >> Webmail >> 1.3.12 Security Vulnerabilities
CVE-2020-35730
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
Known exploited
CVSS Score
6.1
EPSS Score
0.619
Published
2020-12-28
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
CVSS Score
6.1
EPSS Score
0.007
Published
2020-08-12
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.
CVSS Score
6.1
EPSS Score
0.009
Published
2020-07-06
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.
CVSS Score
6.1
EPSS Score
0.042
Published
2020-05-04
An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.
CVSS Score
6.5
EPSS Score
0.017
Published
2020-05-04
Page 2