Roundcube

Webmail

68 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.1

CVE-2016-4552

Exploit
  • EPSS 0.28%
  • Published 20.12.2016 22:59:00
  • Last modified 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the href attribute in an area tag in an e-mail message.

7.5

CVE-2016-9920

Exploit
  • EPSS 44.83%
  • Published 08.12.2016 18:59:00
  • Last modified 12.04.2025 10:46:40

steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which ...

8.8

CVE-2016-4069

  • EPSS 1.13%
  • Published 25.08.2016 18:59:00
  • Last modified 12.04.2025 10:46:40

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified ve...

6.1

CVE-2015-8793

Exploit
  • EPSS 0.28%
  • Published 29.01.2016 19:59:05
  • Last modified 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a differ...

3.5

CVE-2015-8105

  • EPSS 0.18%
  • Published 10.11.2015 17:59:13
  • Last modified 12.04.2025 10:46:40

Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload.

4.3

CVE-2015-1433

Exploit
  • EPSS 0.56%
  • Published 03.02.2015 16:59:24
  • Last modified 12.04.2025 10:46:40

program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email.

6.8

CVE-2014-9587

  • EPSS 3.59%
  • Published 15.01.2015 15:59:21
  • Last modified 12.04.2025 10:46:40

Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) ...

5

CVE-2013-1904

  • EPSS 0.4%
  • Published 08.02.2014 00:55:05
  • Last modified 11.04.2025 00:51:21

Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setti...

7.5

CVE-2013-6172

  • EPSS 1.11%
  • Published 05.11.2013 18:55:06
  • Last modified 11.04.2025 00:51:21

steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and...

4.3

CVE-2013-5645

Exploit
  • EPSS 0.31%
  • Published 29.08.2013 12:07:56
  • Last modified 11.04.2025 00:51:21

Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject arbitrary web script or HTML via the body of a message visited in (1) new or (2) draft mode, related to compose.inc; ...