Roundcube

Webmail

68 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.8

CVE-2017-16651

Warning Exploit
  • EPSS 30.53%
  • Published 09.11.2017 14:29:00
  • Last modified 20.04.2025 01:37:25

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to...

6.1

CVE-2015-5381

  • EPSS 1.36%
  • Published 23.05.2017 04:29:00
  • Last modified 20.04.2025 01:37:25

Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.

7.5

CVE-2015-5383

  • EPSS 1.8%
  • Published 23.05.2017 04:29:00
  • Last modified 20.04.2025 01:37:25

Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory.

6.5

CVE-2015-5382

  • EPSS 1.04%
  • Published 23.05.2017 04:29:00
  • Last modified 20.04.2025 01:37:25

program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.

8.8

CVE-2017-8114

Exploit
  • EPSS 0.63%
  • Published 29.04.2017 19:59:00
  • Last modified 20.04.2025 01:37:25

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers...

6.1

CVE-2016-4068

  • EPSS 0.37%
  • Published 13.04.2017 14:59:01
  • Last modified 20.04.2025 01:37:25

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.

6.1

CVE-2015-8864

  • EPSS 0.37%
  • Published 13.04.2017 14:59:01
  • Last modified 20.04.2025 01:37:25

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.

6.1

CVE-2017-6820

  • EPSS 0.56%
  • Published 12.03.2017 05:59:00
  • Last modified 20.04.2025 01:37:25

rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.

8.8

CVE-2015-2181

Exploit
  • EPSS 0.76%
  • Published 30.01.2017 22:59:00
  • Last modified 20.04.2025 01:37:25

Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username.

9

CVE-2015-2180

Exploit
  • EPSS 2.74%
  • Published 30.01.2017 22:59:00
  • Last modified 20.04.2025 01:37:25

The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password.