Roundcube

Roundcube Webmail

10 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2024-57004

  • EPSS 0.11%
  • Published 03.02.2025 19:15:12
  • Last modified 12.02.2025 20:15:35

Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session.

6.1

CVE-2024-37384

  • EPSS 0.22%
  • Published 07.06.2024 04:15:30
  • Last modified 01.05.2025 19:51:01

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via list columns from user preferences.

9.8

CVE-2024-37385

  • EPSS 0.8%
  • Published 07.06.2024 04:15:30
  • Last modified 01.05.2025 19:49:21

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 on Windows allows command injection via im_convert_path and im_identify_path. NOTE: this issue exists because of an incomplete fix for CVE-2020-12641.

6.1

CVE-2015-5381

  • EPSS 1.36%
  • Published 23.05.2017 04:29:00
  • Last modified 20.04.2025 01:37:25

Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.

6.5

CVE-2015-5382

  • EPSS 1.04%
  • Published 23.05.2017 04:29:00
  • Last modified 20.04.2025 01:37:25

program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.

7.5

CVE-2015-5383

  • EPSS 1.8%
  • Published 23.05.2017 04:29:00
  • Last modified 20.04.2025 01:37:25

Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory.

6.1

CVE-2015-8864

  • EPSS 0.37%
  • Published 13.04.2017 14:59:01
  • Last modified 20.04.2025 01:37:25

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.

6.1

CVE-2016-4068

  • EPSS 0.37%
  • Published 13.04.2017 14:59:01
  • Last modified 20.04.2025 01:37:25

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.

6.5

CVE-2015-8794

  • EPSS 0.29%
  • Published 29.01.2016 19:59:06
  • Last modified 12.04.2025 10:46:40

Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact phot...

7.5

CVE-2015-8770

Exploit
  • EPSS 23.36%
  • Published 29.01.2016 19:59:00
  • Last modified 12.04.2025 10:46:40

Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execu...