Roundcube: >> Webmail >> 0.3.1 Security Vulnerabilities
steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is an expected request for an external Cascading Style Sheets (CSS) stylesheet, which allows remote authenticated users to trigger arbitrary outbound TCP connections from the server, and possibly obtain sensitive information, via a crafted request.
CVSS Score
5.5
EPSS Score
0.018
Published
2011-04-08
Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.
CVSS Score
5.0
EPSS Score
0.02
Published
2010-01-29
Page 6