Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Webmail
(Roundcube)| Repositories |
• https://github.com/roundcube/roundcubemail
• https://github.com/PHPMailer/PHPMailer |
| #Vulnerabilities | 67 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-06-07 | CVE-2024-37383 | Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. | Debian_linux, Webmail | 6.1 | ||
| 2020-06-09 | CVE-2020-13964 | An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object. | Debian_linux, Fedora, Webmail | 6.1 | ||
| 2020-07-06 | CVE-2020-15562 | An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists. | Debian_linux, Webmail | 6.1 | ||
| 2020-08-12 | CVE-2020-16145 | Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15. | Fedora, Webmail | 6.1 | ||
| 2021-02-09 | CVE-2021-26925 | Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. | Fedora, Webmail | 5.4 | ||
| 2021-06-24 | CVE-2020-18670 | Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. | Webmail | 5.4 | ||
| 2021-06-24 | CVE-2020-18671 | Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. | Webmail | 5.4 | ||
| 2021-11-19 | CVE-2021-44025 | Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message. | Debian_linux, Fedora, Webmail | 6.1 | ||
| 2023-11-06 | CVE-2023-47272 | Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). | Debian_linux, Fedora, Webmail | 6.1 | ||
| 2018-05-16 | CVE-2017-17688 | The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification | Mail, Airmail, Emclient, Maildroid, Mailmate, Horde_imp, Outlook, Thunderbird, Postbox, R2mail2, Webmail | 5.9 |