Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArchLinuxASA-201703-10
HistoryMar 14, 2017 - 12:00 a.m.

[ASA-201703-10] roundcubemail: cross-site scripting

2017-03-1400:00:00
security.archlinux.org
15

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.002

Percentile

58.7%

JSON

Arch Linux Security Advisory ASA-201703-10

Severity: Medium
Date : 2017-03-14
CVE-ID : CVE-2017-6820
Package : roundcubemail
Type : cross-site scripting
Remote : Yes
Link : https://security.archlinux.org/AVG-199

Summary

The package roundcubemail before version 1.2.4-1 is vulnerable to
cross-site scripting.

Resolution

Upgrade to 1.2.4-1.

pacman -Syu “roundcubemail>=1.2.4-1”

The problem has been fixed upstream in version 1.2.4.

Workaround

None.

Description

It has been discovered that rcube_utils.php in Roundcube before 1.1.8
and before 1.2.4 is susceptible to a cross-site scripting vulnerability
via a crafted Cascading Style Sheets (CSS) token sequence within an SVG
element.

Impact

A remote attacker is able to use a specially crafted SVG file to
execute arbitrary javascript on the client’s machine.

References

http://seclists.org/oss-sec/2017/q1/583
https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released
https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305
https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4
https://security.archlinux.org/CVE-2017-6820

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyroundcubemail< 1.2.4-1UNKNOWN

Related

nessus 2
openvas 3
ubuntucve 1
cvelist 1
nvd 1
mageia 1
seebug 1
debian 1
debiancve 1
cve 1
osv 3
prion 1
nessus
nessus
openSUSE Security Update : roundcubemail (openSUSE-2017-355)
2017-03-20 00:00:00
Debian DLA-855-1 : roundcube security update
2017-03-14 00:00:00
openvas
openvas
Mageia: Security Advisory (MGASA-2017-0092)
2022-01-28 00:00:00
Roundcube Webmail < 1.1.8, 1.2.x < 1.2.4 XSS Vulnerability
2017-03-13 00:00:00
Debian: Security Advisory (DLA-855-1)
2018-01-11 00:00:00
ubuntucve
ubuntucve
CVE-2017-6820
2017-03-12 00:00:00
cvelist
cvelist
CVE-2017-6820
2017-03-12 04:57:00
nvd
nvd
CVE-2017-6820
2017-03-12 05:59:00
mageia
mageia
Updated roundcubemail package fixes security vulnerability
2017-03-28 00:27:33
seebug
seebug
Roundcube mail body of the stored cross site Vulnerability(CVE-2017-6820)
2017-03-15 00:00:00
debian
debian
[SECURITY] [DLA 855-1] roundcube security update
2017-03-13 22:30:09
debiancve
debiancve
CVE-2017-6820
2017-03-12 05:59:00
cve
cve
CVE-2017-6820
2017-03-12 05:59:00
osv
osv
roundcube - security update
2017-03-13 00:00:00
CVE-2017-6820
2017-03-12 05:59:00
roundcubemail-1.4.11-1.3 on GA media
2024-06-15 00:00:00
prion
prion
Cross site scripting
2017-03-12 05:59:00

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.002

Percentile

58.7%

JSON
Related for ASA-201703-10
nessus2openvas3ubuntucve1cvelist1nvd1mageia1seebug1debian1debiancve1cve1osv3prion1