BIT-ROUNDCUBE-2020-13964

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmailoutputhtml.php allows XSS via the username template object...

BIT-ROUNDCUBE-2020-13965

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview...

BIT-ROUNDCUBE-2020-15562

An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns aka XML namespace attribute of a HEAD element when an SVG element exists...

BIT-ROUNDCUBE-2020-16145

Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15...

BIT-ROUNDCUBE-2020-18670

Cross Site Scripting XSS vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php...

BIT-ROUNDCUBE-2020-18671

Cross Site Scripting XSS vulnerability in Roundcube Mail =1.4.4 via smtp config in /installer/test.php...

BIT-ROUNDCUBE-2020-35730

An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkrefaddindex in rcubestringreplacer.php...

BIT-ROUNDCUBE-2021-26925

Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets CSS token sequences during HTML email rendering...

BIT-ROUNDCUBE-2021-44025

Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message...

BIT-ROUNDCUBE-2021-44026

Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or searchparams...

BIT-ROUNDCUBE-2023-43770

Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcubestringreplacer.php behavior...

BIT-ROUNDCUBE-2023-47272

Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header used for attachment preview or download...

BIT-ROUNDCUBE-2023-5631

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcubewashtml.php behavior. This could allow a remote attackerto load arbitrary JavaScript code...

Roundcube Webmail Service Detection

Binary data roundcubewebmaildetect.nbin...

Roundcube Webmail Faces Unrelenting Exploitation

Summary: The Roundcube email server vulnerability, identified as CVE-2023-43770 and previously mitigated in September 2023, is currently being actively exploited. This flaw enables attackers to gain access to restricted information, with potential repercussions including sensitive data theft, use...

USN-6654-1 roundcube vulnerability

It was discovered that Roundcube Webmail incorrectly sanitized characters in the linkrefs text messages. An attacker could possibly use this issue to execute a cross-site scripting XSS attack. CVE-2023-43770...

USN-6654-1: Roundcube Webmail vulnerability

It was discovered that Roundcube Webmail incorrectly sanitized characters in the linkrefs text messages. An attacker could possibly use this issue to execute a cross-site scripting XSS attack. CVE-2023-43770...

Ubuntu: Security Advisory (USN-6654-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 : Roundcube Webmail vulnerability (USN-6654-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are affected by a vulnerability as referenced in the USN-6654-1 advisory. It was discovered that Roundcube Webmail incorrectly sanitized characters in the linkrefs text messages. An attacker...

A week in security (February 12 – February 18)

Last week on Malwarebytes Labs: GoldPickaxe Trojan steals your face! Microsoft Exchange vulnerability actively exploited Massive utility scam campaign spreads via online ads Facebook Marketplace users’ stolen data offered for sale How ransomware changed in 2023 Malwarebytes crushes malware all th...