Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Webmail
(Roundcube)| Repositories |
• https://github.com/roundcube/roundcubemail
• https://github.com/PHPMailer/PHPMailer |
| #Vulnerabilities | 62 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2018-11-12 | CVE-2018-19205 | Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php. | Webmail | 7.5 | ||
| 2018-11-12 | CVE-2018-19206 | steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment. | Debian_linux, Webmail | 6.1 | ||
| 2021-06-24 | CVE-2020-18670 | Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. | Webmail | 5.4 | ||
| 2021-06-24 | CVE-2020-18671 | Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. | Webmail | 5.4 | ||
| 2017-11-09 | CVE-2017-16651 | Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests. | Debian_linux, Webmail | 7.8 | ||
| 2018-03-13 | CVE-2018-1000071 | roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity. | Webmail | 7.5 | ||
| 2017-03-12 | CVE-2017-6820 | rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. | Webmail | 6.1 | ||
| 2016-12-08 | CVE-2016-9920 | steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message. | Webmail | 7.5 | ||
| 2016-12-20 | CVE-2016-4552 | Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the href attribute in an area tag in an e-mail message. | Webmail | 6.1 | ||
| 2016-08-25 | CVE-2016-4069 | Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors. | Leap, Webmail | 8.8 |