CVE-2015-8105

2015-11-1017:59:13

CWE-79

[email protected]

web.nvd.nist.gov

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

AI Score

6.5

Confidence

High

EPSS

0.002

Percentile

52.0%

JSON

Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload.

Affected configurations

Nvd

Node

opensuseopensuseMatch13.1

opensuseopensuseMatch13.2

Node

roundcubewebmailRange≤1.0.6

roundcubewebmailMatch1.1.0

roundcubewebmailMatch1.1.1

roundcubewebmailMatch1.1.2

VendorProductVersionCPE
opensuseopensuse13.1cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
opensuseopensuse13.2cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
roundcubewebmail*cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
roundcubewebmail1.1.0cpe:2.3:a:roundcube:webmail:1.1.0:*:*:*:*:*:*:*
roundcubewebmail1.1.1cpe:2.3:a:roundcube:webmail:1.1.1:*:*:*:*:*:*:*
roundcubewebmail1.1.2cpe:2.3:a:roundcube:webmail:1.1.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
opensuse	opensuse	13.1	cpe:2.3:o:opensuse:opensuse:13.1:::::::*
opensuse	opensuse	13.2	cpe:2.3:o:opensuse:opensuse:13.2:::::::*
roundcube	webmail	*	cpe:2.3:a:roundcube:webmail::::::::
roundcube	webmail	1.1.0	cpe:2.3:a:roundcube:webmail:1.1.0:::::::*
roundcube	webmail	1.1.1	cpe:2.3:a:roundcube:webmail:1.1.1:::::::*
roundcube	webmail	1.1.2	cpe:2.3:a:roundcube:webmail:1.1.2:::::::*