Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Webmail
(Roundcube)| Repositories |
• https://github.com/roundcube/roundcubemail
• https://github.com/PHPMailer/PHPMailer |
| #Vulnerabilities | 64 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-05-04 | CVE-2020-12640 | Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php. | Backports_sle, Leap, Webmail | 9.8 | ||
| 2020-05-04 | CVE-2020-12641 | rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. | Backports_sle, Leap, Webmail | 9.8 | ||
| 2018-11-12 | CVE-2018-19205 | Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php. | Webmail | 7.5 | ||
| 2018-11-12 | CVE-2018-19206 | steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment. | Debian_linux, Webmail | 6.1 | ||
| 2021-06-24 | CVE-2020-18670 | Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. | Webmail | 5.4 | ||
| 2021-06-24 | CVE-2020-18671 | Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. | Webmail | 5.4 | ||
| 2017-11-09 | CVE-2017-16651 | Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests. | Debian_linux, Webmail | 7.8 | ||
| 2018-03-13 | CVE-2018-1000071 | roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity. | Webmail | 7.5 | ||
| 2017-03-12 | CVE-2017-6820 | rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. | Webmail | 6.1 | ||
| 2016-12-08 | CVE-2016-9920 | steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message. | Webmail | 7.5 |