Roundcube: Security Vulnerabilities
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
CVSS Score
9.3
EPSS Score
0.042
Published
2024-08-05
CVE-2024-42009
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Known exploited
CVSS Score
9.3
EPSS Score
0.876
Published
2024-08-05
CVE-2024-37383
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
Known exploited
CVSS Score
6.1
EPSS Score
0.619
Published
2024-06-07
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-06-07
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.
CVSS Score
9.8
EPSS Score
0.008
Published
2024-06-07
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
CVSS Score
6.1
EPSS Score
0.004
Published
2023-11-06
CVE-2023-5631
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker
to load arbitrary JavaScript code.
Known exploited
CVSS Score
6.1
EPSS Score
0.907
Published
2023-10-18
CVE-2023-43770
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
Known exploited
CVSS Score
6.1
EPSS Score
0.757
Published
2023-09-22
Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.
CVSS Score
6.1
EPSS Score
0.011
Published
2022-01-06
CVE-2021-44026
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
Known exploited
CVSS Score
9.8
EPSS Score
0.681
Published
2021-11-19
Page 1