Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Webmail
(Roundcube)Repositories |
• https://github.com/roundcube/roundcubemail
• https://github.com/PHPMailer/PHPMailer |
#Vulnerabilities | 64 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2024-08-05 | CVE-2024-42009 | A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. | Webmail | 9.3 | ||
2024-08-05 | CVE-2024-42008 | A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. | Webmail | 9.3 | ||
2020-06-09 | CVE-2020-13965 | An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview. | Debian_linux, Fedora, Webmail | 6.1 | ||
2023-09-22 | CVE-2023-43770 | Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. | Debian_linux, Webmail | 6.1 | ||
2018-05-16 | CVE-2017-17688 | The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification | Mail, Airmail, Emclient, Maildroid, Mailmate, Horde_imp, Outlook, Thunderbird, Postbox, R2mail2, Webmail | 5.9 | ||
2020-12-28 | CVE-2020-35730 | An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. | Debian_linux, Fedora, Webmail | 6.1 | ||
2021-11-19 | CVE-2021-44026 | Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. | Debian_linux, Fedora, Webmail | 9.8 | ||
2023-11-06 | CVE-2023-47272 | Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). | Debian_linux, Fedora, Webmail | 6.1 | ||
2023-10-18 | CVE-2023-5631 | Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. | Debian_linux, Fedora, Webmail | 5.4 | ||
2018-04-07 | CVE-2018-9846 | In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism. | Debian_linux, Webmail | 8.8 |