Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Webmail
(Roundcube)| Repositories |
• https://github.com/roundcube/roundcubemail
• https://github.com/PHPMailer/PHPMailer |
| #Vulnerabilities | 65 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-11-19 | CVE-2021-44025 | Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message. | Debian_linux, Fedora, Webmail | 6.1 | ||
| 2021-11-19 | CVE-2021-44026 | Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. | Debian_linux, Fedora, Webmail | 9.8 | ||
| 2023-10-18 | CVE-2023-5631 | Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. | Debian_linux, Fedora, Webmail | 5.4 | ||
| 2023-11-06 | CVE-2023-47272 | Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). | Debian_linux, Fedora, Webmail | 6.1 | ||
| 2024-08-05 | CVE-2024-42009 | A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. | Webmail | 9.3 | ||
| 2024-08-05 | CVE-2024-42008 | A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. | Webmail | 9.3 | ||
| 2018-05-16 | CVE-2017-17688 | The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolete packet type, not a problem in the OpenPGP specification | Mail, Airmail, Emclient, Maildroid, Mailmate, Horde_imp, Outlook, Thunderbird, Postbox, R2mail2, Webmail | 5.9 | ||
| 2018-04-07 | CVE-2018-9846 | In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism. | Debian_linux, Webmail | 8.8 | ||
| 2019-04-07 | CVE-2019-10740 | In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker. | Fedora, Backports_sle, Leap, Webmail | 4.3 | ||
| 2019-08-20 | CVE-2019-15237 | Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks. | Fedora, Webmail | 7.4 |