Product:

Webmail

(Roundcube)
Repositories https://github.com/roundcube/roundcubemail
https://github.com/PHPMailer/PHPMailer
#Vulnerabilities 67
Date Id Summary Products Score Patch Annotated
2024-06-07 CVE-2024-37384 Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences. Debian_linux, Webmail N/A
2024-06-07 CVE-2024-37385 Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641. Webmail N/A
2023-10-18 CVE-2023-5631 Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. Debian_linux, Fedora, Webmail 5.4
2020-05-04 CVE-2020-12641 rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. Backports_sle, Leap, Webmail 9.8
2021-11-19 CVE-2021-44026 Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. Debian_linux, Fedora, Webmail 9.8
2024-08-05 CVE-2024-42008 A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. Webmail 9.3
2024-08-05 CVE-2024-42009 A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. Webmail 9.3