ID FEDORA_2015-1772.NASL Type nessus Reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2019-11-02T00:00:00
Description
Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5
version.
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory 2015-1772.
#
include("compat.inc");
if (description)
{
script_id(81364);
script_version("1.4");
script_cvs_date("Date: 2018/12/24 10:14:27");
script_cve_id("CVE-2015-1433");
script_xref(name:"FEDORA", value:"2015-1772");
script_name(english:"Fedora 21 : roundcubemail-1.0.5-1.fc21 (2015-1772)");
script_summary(english:"Checks rpm output for the updated package.");
script_set_attribute(
attribute:"synopsis",
value:"The remote Fedora host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5
version.
http://roundcube.net/news/2015/01/24/security-update-1.0.5/
http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5
http://trac.roundcube.net/ticket/1490227
CVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
);
script_set_attribute(
attribute:"see_also",
value:"http://roundcube.net/news/2015/01/24/security-update-1.0.5/"
);
# http://trac.roundcube.net/ticket/1490227
script_set_attribute(
attribute:"see_also",
value:"https://github.com/roundcube/roundcubemail/issues/4739"
);
# http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5
script_set_attribute(
attribute:"see_also",
value:"https://github.com/roundcube/roundcubemail/wiki/Changelog#RELEASE1.0.5"
);
# http://www.openwall.com/lists/oss-security/2015/01/31/3
script_set_attribute(
attribute:"see_also",
value:"https://www.openwall.com/lists/oss-security/2015/01/31/3"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.redhat.com/show_bug.cgi?id=1188202"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.redhat.com/show_bug.cgi?id=1188203"
);
# https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149877.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?bee0962e"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected roundcubemail package."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:roundcubemail");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:21");
script_set_attribute(attribute:"patch_publication_date", value:"2015/02/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/16");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Fedora Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^21([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 21.x", "Fedora " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
flag = 0;
if (rpm_check(release:"FC21", reference:"roundcubemail-1.0.5-1.fc21")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "roundcubemail");
}
{"id": "FEDORA_2015-1772.NASL", "bulletinFamily": "scanner", "title": "Fedora 21 : roundcubemail-1.0.5-1.fc21 (2015-1772)", "description": "Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5\nversion.\n\nhttp://roundcube.net/news/2015/01/24/security-update-1.0.5/\nhttp://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\nhttp://trac.roundcube.net/ticket/1490227\n\nCVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "published": "2015-02-16T00:00:00", "modified": "2019-11-02T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://www.tenable.com/plugins/nessus/81364", "reporter": "This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1188202", "http://roundcube.net/news/2015/01/24/security-update-1.0.5/", "https://github.com/roundcube/roundcubemail/issues/4739", "https://www.openwall.com/lists/oss-security/2015/01/31/3", "http://www.nessus.org/u?bee0962e", "https://github.com/roundcube/roundcubemail/wiki/Changelog#RELEASE1.0.5", "https://bugzilla.redhat.com/show_bug.cgi?id=1188203"], "cvelist": ["CVE-2015-1433"], "type": "nessus", "lastseen": "2019-11-01T02:27:21", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:21", "p-cpe:/a:fedoraproject:fedora:roundcubemail"], "cvelist": ["CVE-2015-1433"], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "description": "Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5\nversion.\n\nhttp://roundcube.net/news/2015/01/24/security-update-1.0.5/\nhttp://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\nhttp://trac.roundcube.net/ticket/1490227\n\nCVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 9, "enchantments": {"dependencies": {"modified": "2019-10-28T20:11:43", "references": [{"idList": ["SSV:92792"], "type": "seebug"}, {"idList": ["CVE-2015-1433"], "type": "cve"}, {"idList": ["DEBIAN:DLA-613-1:F4236"], "type": "debian"}, {"idList": ["DEBIAN_DLA-613.NASL", "OPENSUSE-2015-148.NASL", "FEDORA_2015-1761.NASL"], "type": "nessus"}, {"idList": ["OPENVAS:1361412562310890613", "OPENVAS:1361412562310869000", "OPENVAS:1361412562310869001"], "type": "openvas"}]}, "score": {"modified": "2019-10-28T20:11:43", "value": 5.4, "vector": "NONE"}}, "hash": "675558e847c5d5eb9daa4dca3292742589b94b394d54888c04c01c8d97a4f8c5", "hashmap": [{"hash": "0b53242064c340abda1e3acceed719a8", "key": "references"}, {"hash": "0c55f6f2d91bfca6a2d650fcae122dc4", "key": "reporter"}, {"hash": "9dccd6ec7eaf3542a6857abb77bf5b62", "key": "published"}, {"hash": "cea5d0928e131e19ecc7258b18a70bfe", "key": "description"}, {"hash": "a2fb633e4665b7057b4d2d0ae0d11972", "key": "cvelist"}, {"hash": "590cfa36da9ce6d471958a9a0e9e04e8", "key": "cpe"}, {"hash": "803cbe55602e840440942f76a22b3124", "key": "pluginID"}, {"hash": "8baec2bfd6d0bfbd83a631e5ec6b5808", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "f2c1d733db804d35019dccf6ab213607", "key": "sourceData"}, {"hash": "0c092270d70a58732c9ea011fa9a2ec3", "key": "title"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "f74a1c24e49a5ecb0eefb5e51d4caa14", "key": "cvss"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/81364", "id": "FEDORA_2015-1772.NASL", "lastseen": "2019-10-28T20:11:43", "modified": "2019-10-02T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "81364", "published": "2015-02-16T00:00:00", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1188202", "http://roundcube.net/news/2015/01/24/security-update-1.0.5/", "https://github.com/roundcube/roundcubemail/issues/4739", "https://www.openwall.com/lists/oss-security/2015/01/31/3", "http://www.nessus.org/u?bee0962e", "https://github.com/roundcube/roundcubemail/wiki/Changelog#RELEASE1.0.5", "https://bugzilla.redhat.com/show_bug.cgi?id=1188203"], "reporter": "This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-1772.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81364);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/12/24 10:14:27\");\n\n script_cve_id(\"CVE-2015-1433\");\n script_xref(name:\"FEDORA\", value:\"2015-1772\");\n\n script_name(english:\"Fedora 21 : roundcubemail-1.0.5-1.fc21 (2015-1772)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5\nversion.\n\nhttp://roundcube.net/news/2015/01/24/security-update-1.0.5/\nhttp://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\nhttp://trac.roundcube.net/ticket/1490227\n\nCVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://roundcube.net/news/2015/01/24/security-update-1.0.5/\"\n );\n # http://trac.roundcube.net/ticket/1490227\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/roundcube/roundcubemail/issues/4739\"\n );\n # http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/roundcube/roundcubemail/wiki/Changelog#RELEASE1.0.5\"\n );\n # http://www.openwall.com/lists/oss-security/2015/01/31/3\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openwall.com/lists/oss-security/2015/01/31/3\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1188202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1188203\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149877.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bee0962e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected roundcubemail package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:roundcubemail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"roundcubemail-1.0.5-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"roundcubemail\");\n}\n", "title": "Fedora 21 : roundcubemail-1.0.5-1.fc21 (2015-1772)", "type": "nessus", "viewCount": 0}, "differentElements": ["modified"], "edition": 9, "lastseen": "2019-10-28T20:11:43"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:21", "p-cpe:/a:fedoraproject:fedora:roundcubemail"], "cvelist": ["CVE-2015-1433"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5\nversion.\n\nhttp://roundcube.net/news/2015/01/24/security-update-1.0.5/\nhttp://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\nhttp://trac.roundcube.net/ticket/1490227\n\nCVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 7, "enchantments": {"dependencies": {"modified": "2019-01-16T20:20:51", "references": [{"idList": ["SSV:92792"], "type": "seebug"}, {"idList": ["CVE-2015-1433"], "type": "cve"}, {"idList": ["DEBIAN:DLA-613-1:F4236"], "type": "debian"}, {"idList": ["DEBIAN_DLA-613.NASL", "OPENSUSE-2015-148.NASL", "FEDORA_2015-1761.NASL"], "type": "nessus"}, {"idList": ["OPENVAS:1361412562310890613", "OPENVAS:1361412562310869000", "OPENVAS:1361412562310869001"], "type": "openvas"}]}, "score": {"value": 4.3, "vector": "NONE"}}, "hash": "a574e1948bb6c0332984b97298a8029091fd50cc9625ebb62949babbf8139023", "hashmap": [{"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "0b53242064c340abda1e3acceed719a8", "key": "references"}, {"hash": "4a6aa59cee913088d05117547f8e824a", "key": "modified"}, {"hash": "9dccd6ec7eaf3542a6857abb77bf5b62", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "cea5d0928e131e19ecc7258b18a70bfe", "key": "description"}, {"hash": "a2fb633e4665b7057b4d2d0ae0d11972", "key": "cvelist"}, {"hash": "590cfa36da9ce6d471958a9a0e9e04e8", "key": "cpe"}, {"hash": "803cbe55602e840440942f76a22b3124", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "f2c1d733db804d35019dccf6ab213607", "key": "sourceData"}, {"hash": "0c092270d70a58732c9ea011fa9a2ec3", "key": "title"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "e0fb38fab340350c7d50f84953dc684b", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81364", "id": "FEDORA_2015-1772.NASL", "lastseen": "2019-01-16T20:20:51", "modified": "2018-12-24T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "81364", "published": "2015-02-16T00:00:00", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1188202", "http://roundcube.net/news/2015/01/24/security-update-1.0.5/", "https://github.com/roundcube/roundcubemail/issues/4739", "https://www.openwall.com/lists/oss-security/2015/01/31/3", "http://www.nessus.org/u?bee0962e", "https://github.com/roundcube/roundcubemail/wiki/Changelog#RELEASE1.0.5", "https://bugzilla.redhat.com/show_bug.cgi?id=1188203"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-1772.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81364);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/12/24 10:14:27\");\n\n script_cve_id(\"CVE-2015-1433\");\n script_xref(name:\"FEDORA\", value:\"2015-1772\");\n\n script_name(english:\"Fedora 21 : roundcubemail-1.0.5-1.fc21 (2015-1772)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5\nversion.\n\nhttp://roundcube.net/news/2015/01/24/security-update-1.0.5/\nhttp://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\nhttp://trac.roundcube.net/ticket/1490227\n\nCVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://roundcube.net/news/2015/01/24/security-update-1.0.5/\"\n );\n # http://trac.roundcube.net/ticket/1490227\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/roundcube/roundcubemail/issues/4739\"\n );\n # http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/roundcube/roundcubemail/wiki/Changelog#RELEASE1.0.5\"\n );\n # http://www.openwall.com/lists/oss-security/2015/01/31/3\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openwall.com/lists/oss-security/2015/01/31/3\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1188202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1188203\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149877.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bee0962e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected roundcubemail package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:roundcubemail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"roundcubemail-1.0.5-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"roundcubemail\");\n}\n", "title": "Fedora 21 : roundcubemail-1.0.5-1.fc21 (2015-1772)", "type": "nessus", "viewCount": 0}, "differentElements": ["description"], "edition": 7, "lastseen": "2019-01-16T20:20:51"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:21", "p-cpe:/a:fedoraproject:fedora:roundcubemail"], "cvelist": ["CVE-2015-1433"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5 version.\n\nhttp://roundcube.net/news/2015/01/24/security-update-1.0.5/ http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5 http://trac.roundcube.net/ticket/1490227\n\nCVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 8, "enchantments": {"dependencies": {"modified": "2019-02-21T01:23:30", "references": [{"idList": ["SSV:92792"], "type": "seebug"}, {"idList": ["CVE-2015-1433"], "type": "cve"}, {"idList": ["DEBIAN:DLA-613-1:F4236"], "type": "debian"}, {"idList": ["DEBIAN_DLA-613.NASL", "OPENSUSE-2015-148.NASL", "FEDORA_2015-1761.NASL"], "type": "nessus"}, {"idList": ["OPENVAS:1361412562310890613", "OPENVAS:1361412562310869000", "OPENVAS:1361412562310869001"], "type": "openvas"}]}, "score": {"modified": "2019-02-21T01:23:30", "value": 5.4, "vector": "NONE"}}, "hash": "4e420fe284117f59109c842484b1ea1815a49c7fc00c544c0159740c02b5409a", "hashmap": [{"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "6234585a59b70164b0f7cdc9cfa1d7c8", "key": "description"}, {"hash": "0b53242064c340abda1e3acceed719a8", "key": "references"}, {"hash": "4a6aa59cee913088d05117547f8e824a", "key": "modified"}, {"hash": "9dccd6ec7eaf3542a6857abb77bf5b62", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "a2fb633e4665b7057b4d2d0ae0d11972", "key": "cvelist"}, {"hash": "590cfa36da9ce6d471958a9a0e9e04e8", "key": "cpe"}, {"hash": "803cbe55602e840440942f76a22b3124", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "f2c1d733db804d35019dccf6ab213607", "key": "sourceData"}, {"hash": "0c092270d70a58732c9ea011fa9a2ec3", "key": "title"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "e0fb38fab340350c7d50f84953dc684b", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81364", "id": "FEDORA_2015-1772.NASL", "lastseen": "2019-02-21T01:23:30", "modified": "2018-12-24T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "81364", "published": "2015-02-16T00:00:00", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1188202", "http://roundcube.net/news/2015/01/24/security-update-1.0.5/", "https://github.com/roundcube/roundcubemail/issues/4739", "https://www.openwall.com/lists/oss-security/2015/01/31/3", "http://www.nessus.org/u?bee0962e", "https://github.com/roundcube/roundcubemail/wiki/Changelog#RELEASE1.0.5", "https://bugzilla.redhat.com/show_bug.cgi?id=1188203"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-1772.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81364);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/12/24 10:14:27\");\n\n script_cve_id(\"CVE-2015-1433\");\n script_xref(name:\"FEDORA\", value:\"2015-1772\");\n\n script_name(english:\"Fedora 21 : roundcubemail-1.0.5-1.fc21 (2015-1772)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5\nversion.\n\nhttp://roundcube.net/news/2015/01/24/security-update-1.0.5/\nhttp://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\nhttp://trac.roundcube.net/ticket/1490227\n\nCVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://roundcube.net/news/2015/01/24/security-update-1.0.5/\"\n );\n # http://trac.roundcube.net/ticket/1490227\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/roundcube/roundcubemail/issues/4739\"\n );\n # http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/roundcube/roundcubemail/wiki/Changelog#RELEASE1.0.5\"\n );\n # http://www.openwall.com/lists/oss-security/2015/01/31/3\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openwall.com/lists/oss-security/2015/01/31/3\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1188202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1188203\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149877.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bee0962e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected roundcubemail package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:roundcubemail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"roundcubemail-1.0.5-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"roundcubemail\");\n}\n", "title": "Fedora 21 : roundcubemail-1.0.5-1.fc21 (2015-1772)", "type": "nessus", "viewCount": 0}, "differentElements": ["cvss", "description", "reporter", "modified", "href"], "edition": 8, "lastseen": "2019-02-21T01:23:30"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:21", "p-cpe:/a:fedoraproject:fedora:roundcubemail"], "cvelist": ["CVE-2015-1433"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5 version.\n\nhttp://roundcube.net/news/2015/01/24/security-update-1.0.5/ http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5 http://trac.roundcube.net/ticket/1490227\n\nCVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 5, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "hash": "29d9b0a6e4142677786a0eccf43a94aed563a2d22c1db58f4151322745535fa8", "hashmap": [{"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "6234585a59b70164b0f7cdc9cfa1d7c8", "key": "description"}, {"hash": "f5480c2e77679eb560c0ec1c3276088c", "key": "references"}, {"hash": "9dccd6ec7eaf3542a6857abb77bf5b62", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e145933baf60ff34e77ad35c77d74478", "key": "modified"}, {"hash": "a2fb633e4665b7057b4d2d0ae0d11972", "key": "cvelist"}, {"hash": "590cfa36da9ce6d471958a9a0e9e04e8", "key": "cpe"}, {"hash": "803cbe55602e840440942f76a22b3124", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0c092270d70a58732c9ea011fa9a2ec3", "key": "title"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "41c6be46b825d293a1a9afb515a64325", "key": "sourceData"}, {"hash": "e0fb38fab340350c7d50f84953dc684b", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81364", "id": "FEDORA_2015-1772.NASL", "lastseen": "2018-11-21T06:01:57", "modified": "2018-11-20T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "81364", "published": "2015-02-16T00:00:00", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1188202", "http://trac.roundcube.net/ticket/1490227", "http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5", "http://roundcube.net/news/2015/01/24/security-update-1.0.5/", "https://www.openwall.com/lists/oss-security/2015/01/31/3", "http://www.nessus.org/u?bee0962e", "https://bugzilla.redhat.com/show_bug.cgi?id=1188203"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-1772.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81364);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/11/20 11:04:17\");\n\n script_cve_id(\"CVE-2015-1433\");\n script_xref(name:\"FEDORA\", value:\"2015-1772\");\n\n script_name(english:\"Fedora 21 : roundcubemail-1.0.5-1.fc21 (2015-1772)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5\nversion.\n\nhttp://roundcube.net/news/2015/01/24/security-update-1.0.5/\nhttp://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\nhttp://trac.roundcube.net/ticket/1490227\n\nCVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://roundcube.net/news/2015/01/24/security-update-1.0.5/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://trac.roundcube.net/ticket/1490227\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\"\n );\n # http://www.openwall.com/lists/oss-security/2015/01/31/3\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openwall.com/lists/oss-security/2015/01/31/3\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1188202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1188203\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149877.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bee0962e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected roundcubemail package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:roundcubemail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"roundcubemail-1.0.5-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"roundcubemail\");\n}\n", "title": "Fedora 21 : roundcubemail-1.0.5-1.fc21 (2015-1772)", "type": "nessus", "viewCount": 0}, "differentElements": ["references", "modified", "sourceData"], "edition": 5, "lastseen": "2018-11-21T06:01:57"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:fedoraproject:fedora:21", "p-cpe:/a:fedoraproject:fedora:roundcubemail"], "cvelist": ["CVE-2015-1433"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5 version.\n\nhttp://roundcube.net/news/2015/01/24/security-update-1.0.5/ http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5 http://trac.roundcube.net/ticket/1490227\n\nCVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 2, "enchantments": {"score": {"value": 4.3, "vector": "NONE"}}, "hash": "1458425d51da911b3cd21ce6843b8bc7a5d989a1dd86da8501ba9526cea9dabc", "hashmap": [{"hash": "2ddf672b7ff5d10837da88e3608fb6b8", "key": "sourceData"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "6234585a59b70164b0f7cdc9cfa1d7c8", "key": "description"}, {"hash": "9dccd6ec7eaf3542a6857abb77bf5b62", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "a2fb633e4665b7057b4d2d0ae0d11972", "key": "cvelist"}, {"hash": "590cfa36da9ce6d471958a9a0e9e04e8", "key": "cpe"}, {"hash": "9a00910eeedb8c835c4637a953896665", "key": "modified"}, {"hash": "75d051450bf37150c2a59ad174412f32", "key": "references"}, {"hash": "803cbe55602e840440942f76a22b3124", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0c092270d70a58732c9ea011fa9a2ec3", "key": "title"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "e0fb38fab340350c7d50f84953dc684b", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=81364", "id": "FEDORA_2015-1772.NASL", "lastseen": "2017-10-29T13:44:46", "modified": "2015-10-19T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "pluginID": "81364", "published": "2015-02-16T00:00:00", "references": ["http://www.openwall.com/lists/oss-security/2015/01/31/3", "https://bugzilla.redhat.com/show_bug.cgi?id=1188202", "http://trac.roundcube.net/ticket/1490227", "http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5", "http://roundcube.net/news/2015/01/24/security-update-1.0.5/", "http://www.nessus.org/u?bee0962e", "https://bugzilla.redhat.com/show_bug.cgi?id=1188203"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-1772.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81364);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2015/10/19 23:06:16 $\");\n\n script_cve_id(\"CVE-2015-1433\");\n script_xref(name:\"FEDORA\", value:\"2015-1772\");\n\n script_name(english:\"Fedora 21 : roundcubemail-1.0.5-1.fc21 (2015-1772)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5\nversion.\n\nhttp://roundcube.net/news/2015/01/24/security-update-1.0.5/\nhttp://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\nhttp://trac.roundcube.net/ticket/1490227\n\nCVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://roundcube.net/news/2015/01/24/security-update-1.0.5/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://trac.roundcube.net/ticket/1490227\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.openwall.com/lists/oss-security/2015/01/31/3\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1188202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1188203\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149877.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bee0962e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected roundcubemail package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:roundcubemail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"roundcubemail-1.0.5-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"roundcubemail\");\n}\n", "title": "Fedora 21 : roundcubemail-1.0.5-1.fc21 (2015-1772)", "type": "nessus", "viewCount": 0}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2017-10-29T13:44:46"}], "edition": 10, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "590cfa36da9ce6d471958a9a0e9e04e8"}, {"key": "cvelist", "hash": "a2fb633e4665b7057b4d2d0ae0d11972"}, {"key": "cvss", "hash": "f74a1c24e49a5ecb0eefb5e51d4caa14"}, {"key": "description", "hash": "cea5d0928e131e19ecc7258b18a70bfe"}, {"key": "href", "hash": "8baec2bfd6d0bfbd83a631e5ec6b5808"}, {"key": "modified", "hash": "abcf9266f425f12dda38f529cd4a94bc"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "pluginID", "hash": "803cbe55602e840440942f76a22b3124"}, {"key": "published", "hash": "9dccd6ec7eaf3542a6857abb77bf5b62"}, {"key": "references", "hash": "0b53242064c340abda1e3acceed719a8"}, {"key": "reporter", "hash": "0c55f6f2d91bfca6a2d650fcae122dc4"}, {"key": "sourceData", "hash": "f2c1d733db804d35019dccf6ab213607"}, {"key": "title", "hash": "0c092270d70a58732c9ea011fa9a2ec3"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "8673bb9d3317639f1e7b13c6b6aff2473496bb1f1cb658a375f97f8e43a5147e", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-1433"]}, {"type": "seebug", "idList": ["SSV:92792"]}, {"type": "nessus", "idList": ["FEDORA_2015-1761.NASL", "OPENSUSE-2015-148.NASL", "DEBIAN_DLA-613.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310869000", "OPENVAS:1361412562310869001", "OPENVAS:1361412562310890613"]}, {"type": "debian", "idList": ["DEBIAN:DLA-613-1:F4236"]}], "modified": "2019-11-01T02:27:21"}, "score": {"value": 5.4, "vector": "NONE", "modified": "2019-11-01T02:27:21"}, "vulnersScore": 5.4}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-1772.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81364);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/12/24 10:14:27\");\n\n script_cve_id(\"CVE-2015-1433\");\n script_xref(name:\"FEDORA\", value:\"2015-1772\");\n\n script_name(english:\"Fedora 21 : roundcubemail-1.0.5-1.fc21 (2015-1772)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5\nversion.\n\nhttp://roundcube.net/news/2015/01/24/security-update-1.0.5/\nhttp://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\nhttp://trac.roundcube.net/ticket/1490227\n\nCVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://roundcube.net/news/2015/01/24/security-update-1.0.5/\"\n );\n # http://trac.roundcube.net/ticket/1490227\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/roundcube/roundcubemail/issues/4739\"\n );\n # http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/roundcube/roundcubemail/wiki/Changelog#RELEASE1.0.5\"\n );\n # http://www.openwall.com/lists/oss-security/2015/01/31/3\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openwall.com/lists/oss-security/2015/01/31/3\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1188202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1188203\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149877.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bee0962e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected roundcubemail package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:roundcubemail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"roundcubemail-1.0.5-1.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"roundcubemail\");\n}\n", "naslFamily": "Fedora Local Security Checks", "pluginID": "81364", "cpe": ["cpe:/o:fedoraproject:fedora:21", "p-cpe:/a:fedoraproject:fedora:roundcubemail"], "scheme": null}
{"cve": [{"lastseen": "2019-05-29T18:14:40", "bulletinFamily": "NVD", "description": "program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email.", "modified": "2018-10-30T16:27:00", "id": "CVE-2015-1433", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1433", "published": "2015-02-03T16:59:00", "title": "CVE-2015-1433", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "seebug": [{"lastseen": "2017-11-19T12:00:49", "bulletinFamily": "exploit", "description": "RoundCube Webmail is a foreign use of a wide an open source php e-mail system, the meaning is still quite large.\n\nroundcube webmail official website: <https://roundcube.net/>, download the latest version. /program/lib/Roundcube/rcube_washtml.php this file is actually a rich text filter class class rcube_washtml it. roundcube is the use of this class for rich text filter.\n\nFirst probably look, I know this class feature:\n\n 1. Use the DOM to change the HTML to do parsing, remove all tags, corresponding to the attribute key and value.\n 2. The use of the white list, and only keep the allowed tags and attributes.\n 3. According to the preserved tags, attributes, keys and values, spliced into the filtered HTML output.\n\nIn fact, from this process I see a safety hazard. I used to own wrote a rich text class, the class of the first two points of the process and this class is the same, but the third point, I was the results are also saved as a DOM object, and then converted into HTML output.\n\nThe two have what difference? A large different point is that roundcube to HTML splicing, the splicing process if not handled properly the quotes, it is easy to lead to the attribute\u201cvalue\u201dbeyond the quoted range, into a new\u201cattribute\u201d, such as onerror in.\n\nWell, we saw 246 the line,\n\n`else if ($key == 'style' && ($style = $this->wash_style($value))) { $quot = strpos($style, '\"') !== false ? \"'\" : '\"'; $t .= 'style=' . $quot . $style . $quot; }`\n\nWhen the property name is the style, then the value of the incoming wash_style function. This function, as the name implies is to filter the css used, then the return value of the`$style `stitching to the final HTML in:`$t .= 'style=' . $quot . $style . $quot;`\n\n`$quote `is a quotation mark,`$style `put into quotation marks. The`$quote `is before a word is defined, when the`$style `in single quotes,`$quote `is a double quotation mark, when the`$style `in double-quotes,`$quote `is in single quotation marks.\n\nBut if`$style`, two quotation marks are there? Certainly will cause the quotation marks are closed, then the back will be able to write the other attributes.\n\nThere's some trouble with the analysis I will not write, the last of my payload is:\n\n`<img src=\"data:xxx1\" style=aaa:'\"/onerror=alert(1)//' >`\n\nWe see that style in the middle there is a single quotation mark and double quotation marks, because there are, so choose a single quotation mark as the outside of the closing quotation marks. And because I also have single quotes, so the front of the single quotes closure, and lead to the back of the content overflow, onerror become a new attribute, and finally lead to stored XSS in.\n\nAfter the class the processed HTML into this, chrome the latest version directly triggered without interaction\n\n`<!-- html ignored --><!-- body ignored --><img src=\"data:xxx1\" style='aaa: '\\\"/onerror=alert(1)//\" />`\n\nTest, directly send a text containing the above POC in the mail, roundcube opens the message can be triggered:\n\n\n\n\n", "modified": "2017-03-16T00:00:00", "published": "2017-03-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92792", "id": "SSV:92792", "type": "seebug", "title": "RoundCube Webmail mail <1.0.5 body stored XSS\uff08CVE-2015-1433\uff09", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": ""}], "nessus": [{"lastseen": "2019-11-01T02:27:21", "bulletinFamily": "scanner", "description": "Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5\nversion.\n\nhttp://roundcube.net/news/2015/01/24/security-update-1.0.5/\nhttp://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\nhttp://trac.roundcube.net/ticket/1490227\n\nCVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2019-11-02T00:00:00", "id": "FEDORA_2015-1761.NASL", "href": "https://www.tenable.com/plugins/nessus/81362", "published": "2015-02-16T00:00:00", "title": "Fedora 20 : roundcubemail-1.0.5-1.fc20 (2015-1761)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-1761.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81362);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/12/24 10:14:27\");\n\n script_cve_id(\"CVE-2015-1433\");\n script_xref(name:\"FEDORA\", value:\"2015-1761\");\n\n script_name(english:\"Fedora 20 : roundcubemail-1.0.5-1.fc20 (2015-1761)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Cross-site scripting vulnerability has been fixed in Roundcube 1.0.5\nversion.\n\nhttp://roundcube.net/news/2015/01/24/security-update-1.0.5/\nhttp://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\nhttp://trac.roundcube.net/ticket/1490227\n\nCVE request: http://www.openwall.com/lists/oss-security/2015/01/31/3\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://roundcube.net/news/2015/01/24/security-update-1.0.5/\"\n );\n # http://trac.roundcube.net/ticket/1490227\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/roundcube/roundcubemail/issues/4739\"\n );\n # http://trac.roundcube.net/wiki/Changelog#RELEASE1.0.5\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/roundcube/roundcubemail/wiki/Changelog#RELEASE1.0.5\"\n );\n # http://www.openwall.com/lists/oss-security/2015/01/31/3\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openwall.com/lists/oss-security/2015/01/31/3\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1188202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1188203\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150002.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a7924ca3\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected roundcubemail package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:roundcubemail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"roundcubemail-1.0.5-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"roundcubemail\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-11-01T03:00:45", "bulletinFamily": "scanner", "description": "roundcubemail was updated to version 1.0.5 to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-1433: program/lib/Roundcube/rcube_washtml.php\n in Roundcube before 1.0.5 did not properly quote\n strings, which allowed remote attackers to conduct\n cross-site scripting (XSS) attacks via the style\n attribute in an email (bnc#915789).\n\nVarious non-security bugs were resolved in this update. Please see the\nchanges file for details.", "modified": "2019-11-02T00:00:00", "id": "OPENSUSE-2015-148.NASL", "href": "https://www.tenable.com/plugins/nessus/81373", "published": "2015-02-16T00:00:00", "title": "openSUSE Security Update : roundcubemail (openSUSE-2015-148)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2015-148.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(81373);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2015/03/11 13:51:32 $\");\n\n script_cve_id(\"CVE-2015-1433\");\n\n script_name(english:\"openSUSE Security Update : roundcubemail (openSUSE-2015-148)\");\n script_summary(english:\"Check for the openSUSE-2015-148 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"roundcubemail was updated to version 1.0.5 to fix one security issue.\n\nThis security issue was fixed :\n\n - CVE-2015-1433: program/lib/Roundcube/rcube_washtml.php\n in Roundcube before 1.0.5 did not properly quote\n strings, which allowed remote attackers to conduct\n cross-site scripting (XSS) attacks via the style\n attribute in an email (bnc#915789).\n\nVarious non-security bugs were resolved in this update. Please see the\nchanges file for details.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=863569\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=915789\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected roundcubemail package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:roundcubemail\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/02/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.1|SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.1 / 13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.1\", reference:\"roundcubemail-1.0.5-2.18.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"roundcubemail-1.0.5-8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"roundcubemail\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-11-01T02:20:39", "bulletinFamily": "scanner", "description": "Multiple CSRF and XSS issues allow remote attackers to hijack the\nauthentication and execute roundcube operations without the consent of\nthe user. In some cases, this could result in data loss or data theft.\n\nCVE-2014-9587\n\nMultiple cross-site request forgery (CSRF) vulnerabilities in allow\nremote attackers to hijack the authentication of unspecified victims\nvia unknown vectors, related to (1) address book operations or the (2)\nACL or (3) Managesieve plugins.\n\nCVE-2015-1433\n\nIncorrect quotation logic during sanitization of style HTML attribute\nallows remote attackers to execute arbitrary JavaScript code on the\nuser", "modified": "2019-11-02T00:00:00", "id": "DEBIAN_DLA-613.NASL", "href": "https://www.tenable.com/plugins/nessus/93385", "published": "2016-09-09T00:00:00", "title": "Debian DLA-613-1 : roundcube security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-613-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93385);\n script_version(\"2.6\");\n script_cvs_date(\"Date: 2018/07/09 14:30:26\");\n\n script_cve_id(\"CVE-2014-9587\", \"CVE-2015-1433\", \"CVE-2016-4069\");\n script_bugtraq_id(71909, 72401);\n\n script_name(english:\"Debian DLA-613-1 : roundcube security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple CSRF and XSS issues allow remote attackers to hijack the\nauthentication and execute roundcube operations without the consent of\nthe user. In some cases, this could result in data loss or data theft.\n\nCVE-2014-9587\n\nMultiple cross-site request forgery (CSRF) vulnerabilities in allow\nremote attackers to hijack the authentication of unspecified victims\nvia unknown vectors, related to (1) address book operations or the (2)\nACL or (3) Managesieve plugins.\n\nCVE-2015-1433\n\nIncorrect quotation logic during sanitization of style HTML attribute\nallows remote attackers to execute arbitrary JavaScript code on the\nuser's browser. CVE-2016-4069\n\nCross-site request forgery (CSRF) vulnerability allows\nremote attackers to hijack the authentication of users for\nrequests that download attachments and cause a denial of\nservice (disk consumption) via unspecified vectors.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n0.7.2-9+deb7u.\n\nWe recommend that you upgrade your roundcube packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/09/msg00006.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/roundcube\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:roundcube\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:roundcube-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:roundcube-mysql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:roundcube-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:roundcube-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"roundcube\", reference:\"0.7.2-9+deb7u\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"roundcube-core\", reference:\"0.7.2-9+deb7u\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"roundcube-mysql\", reference:\"0.7.2-9+deb7u\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"roundcube-pgsql\", reference:\"0.7.2-9+deb7u\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"roundcube-plugins\", reference:\"0.7.2-9+deb7u\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:35:59", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-02-15T00:00:00", "id": "OPENVAS:1361412562310869000", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869000", "title": "Fedora Update for roundcubemail FEDORA-2015-1761", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for roundcubemail FEDORA-2015-1761\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869000\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-15 05:47:23 +0100 (Sun, 15 Feb 2015)\");\n script_cve_id(\"CVE-2012-4230\", \"CVE-2015-1433\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for roundcubemail FEDORA-2015-1761\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'roundcubemail'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"roundcubemail on Fedora 20\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-1761\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-February/150002.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC20\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"roundcubemail\", rpm:\"roundcubemail~1.0.5~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:36:21", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2015-02-15T00:00:00", "id": "OPENVAS:1361412562310869001", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869001", "title": "Fedora Update for roundcubemail FEDORA-2015-1772", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for roundcubemail FEDORA-2015-1772\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.869001\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-02-15 05:47:24 +0100 (Sun, 15 Feb 2015)\");\n script_cve_id(\"CVE-2012-4230\", \"CVE-2015-1433\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for roundcubemail FEDORA-2015-1772\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'roundcubemail'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"roundcubemail on Fedora 21\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-1772\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2015-February/149877.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC21\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"roundcubemail\", rpm:\"roundcubemail~1.0.5~1.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:31", "bulletinFamily": "scanner", "description": "The security update announced as DLA-613-1 caused a regression. A\nmissing null parameter set the $task variable in the rcmail_url()\nfunction to a boolean value which led to service not available errors\nwhen viewing attached images. Updated packages are now available to\ncorrect this issue.", "modified": "2019-03-18T00:00:00", "published": "2018-02-08T00:00:00", "id": "OPENVAS:1361412562310890613", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890613", "title": "Debian LTS Advisory ([SECURITY] [DLA 613-2] roundcube regression update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_613.nasl 14281 2019-03-18 14:53:48Z cfischer $\n#\n# Auto-generated from advisory DLA 613-2 using nvtgen 1.0\n# Script version:2.0\n# #\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.890613\");\n script_version(\"$Revision: 14281 $\");\n script_cve_id(\"CVE-2014-9587\", \"CVE-2015-1433\", \"CVE-2016-4069\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 613-2] roundcube regression update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:53:48 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-02-08 00:00:00 +0100 (Thu, 08 Feb 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/07/msg00034.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"roundcube on Debian Linux\");\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n0.7.2-9+deb7u8.\n\nWe recommend that you upgrade your roundcube packages.\");\n script_tag(name:\"summary\", value:\"The security update announced as DLA-613-1 caused a regression. A\nmissing null parameter set the $task variable in the rcmail_url()\nfunction to a boolean value which led to service not available errors\nwhen viewing attached images. Updated packages are now available to\ncorrect this issue.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"roundcube\", ver:\"0.7.2-9+deb7u8\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"roundcube-core\", ver:\"0.7.2-9+deb7u8\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"roundcube-mysql\", ver:\"0.7.2-9+deb7u8\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"roundcube-pgsql\", ver:\"0.7.2-9+deb7u8\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"roundcube-plugins\", ver:\"0.7.2-9+deb7u8\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:22:37", "bulletinFamily": "unix", "description": "Package : roundcube\nVersion : 0.7.2-9+deb7u4\nCVE ID : CVE-2014-9587 CVE-2015-1433 CVE-2016-4069\nDebian Bug : 822333 775576 776700\n\nMultiple CSRF and XSS issues allow remote attackers to hijack the\nauthentication and execute roundcube operations without the consent of the\nuser. In some cases, this could result in data loss or data theft.\n\nCVE-2014-9587\n\n Multiple cross-site request forgery (CSRF) vulnerabilities in\n allow remote attackers to hijack the authentication of unspecified\n victims via unknown vectors, related to (1) address book operations or\n the (2) ACL or (3) Managesieve plugins.\n\nCVE-2015-1433\n\n Incorrect quotation logic during sanitization of style HTML\n attribute allows remote attackers to execute arbitrary\n javascript code on the user's browser.\n \nCVE-2016-4069\n\n Cross-site request forgery (CSRF) vulnerability allows remote\n attackers to hijack the authentication of users for requests that\n download attachments and cause a denial of service (disk consumption)\n via unspecified vectors.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n0.7.2-9+deb7u4.\n\nWe recommend that you upgrade your roundcube packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \nRapha\u00ebl Hertzog \u25c8 Debian Developer\n\nSupport Debian LTS: http://www.freexian.com/services/debian-lts.html\nLearn to master Debian: http://debian-handbook.info/get/\n", "modified": "2016-09-08T09:59:01", "published": "2016-09-08T09:59:01", "id": "DEBIAN:DLA-613-1:F4236", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201609/msg00006.html", "title": "[SECURITY] [DLA 613-1] roundcube security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}