CVE-2026-35390 Content-Security-Policy was set to Report-Only mode, failing to block XSS attacks

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy proxy.ts set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting XSS attacks were logged but not blocked...

[SECURITY] Fedora 44 Update: roundcubemail-1.7~rc5-1.fc44

RoundCube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides full functionality you expect from an e-mail client, including MIME support, address book, folder manipulation, message searching and spell checking. RoundCube Webmail is written in...

EUVD-2012-1927

Malware in sbrugna...

SUSE CVE-2007-6018

IMP Webmail Client 4.1.5, Horde Application Framework 3.1.5, and Horde Groupware Webmail Edition 1.0.3 does not validate unspecified HTTP requests, which allows remote attackers to 1 delete arbitrary e-mail messages via a modified numeric ID or 2 "purge" deleted emails via a crafted email message...

Horde Imp Unauthenticated Remote Command Execution

Added: 01/18/2019 BID: 106018 Background The IMP is a web-based mail client for IMAP and POP3 accounts. It is built atop the Horde Application Framework, which is a general-purpose web application library written in PHP. Problem A vulnerability in Horde IMP could allow unauthenticated command...

Debian DLA-1484-1 : squirrelmail security update

It was discovered that there were a number of Cross Site Scripting XSS vulnerabilities in the squirrelmail webmail client. For Debian 8 'Jessie', these issues has been fixed in squirrelmail version 2:1.4.23svn20120406-2+deb8u3. We recommend that you upgrade your squirrelmail packages. NOTE: Tenab...

atmail Cross-Site Scripting Vulnerability

atmail is an open source WebMail client from Australia's atmail company , which provides a Webmail interface , address book management , calendars and other features , and supports IMAP, video mail and so on. A cross-site scripting vulnerability exists in versions of atmail prior to 7.8.0.2. A...

Debian DSA-3541-1 : roundcube - security update

High-Tech Bridge Security Research Lab discovered that Roundcube, a webmail client, contained a path traversal vulnerability. This flaw could be exploited by an attacker to access sensitive files on the server, or even execute arbitrary code. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. T...

DSA-3541-1 roundcube - security update

Bulletin has no description...

[SECURITY] [DLA 392-1] roundcube security update

Package : roundcube Version : 0.3.1-6+deb6u1 CVE ID : CVE-2015-8770 High-Tech Bridge Security Research Lab discovered a path traversal vulnerability in a popular webmail client Roundcube. Vulnerability can be exploited to gain access to sensitive information and under certain circumstances to...

Remote Code Execution in Roundcube

High-Tech Bridge Security Research Lab discovered a path traversal vulnerability in a popular webmail client Roundcube. Vulnerability can be exploited to gain access to sensitive information and under certain circumstances to execute arbitrary code and totally compromise the vulnerable server. Th...

Atrium Software Mercur WebView WebMail-Client 1.0 - Buffer Overflow

No description provided by source. source: http://www.securityfocus.com/bid/1056/info WebView WebMail-Client is an add-on for the Mercur SMTP/POP3/IMAP4 Mail Server which allows a user to access email through a web browser. Insufficient boundary checking exists in the code which handles GET...

Yet Another NOCC <= 0.1.0 - Local File Inclusion Vulnerability

No description provided by source. Yet Another NOCC 0.1.0 = Local File Inclusion Vulnerabilities YANOCC is a simple and fast webmail client which can handle POP3, SMTP, and IMAP servers. YANOCC is based on NOCC's code and is written with PHP4. It features multi-language support, MIME attachments,...

t-dah webmail client 3.2.0-2.3 - Stored XSS

No description provided by source. !/usr/bin/python ''' Author: loneferret of Offensive Security Product: T-dah Webmail Client Version: 3.2.0-2.3 Vendor Site: http://t-dahmail.sourceforge.net/index.php Software Download: http://sourceforge.net/projects/t-dahmail/ Contact:...

NuralStorm Webmail <= 0.98b (process.php) Remote Include Vulnerability

No description provided by source. --------------------------------------------------------------------------- NuralStorm Webmail = 0.98b Remote File Include Vulnerability --------------------------------------------------------------------------- Discovered By Kw3RLn Romanian Security Team :...

T-dah Webmail Client 3.2.0-2.3 - Persistent Cross-Site Scripting

T-dah Webmail Client 3.2.0-2.3 - Persistent Cross-Site Scripting !/usr/bin/python ''' Author: loneferret of Offensive Security Product: T-dah Webmail Client Version: 3.2.0-2.3 Vendor Site: http://t-dahmail.sourceforge.net/index.php Software Download: http://sourceforge.net/projects/t-dahmail/...

T-dah Webmail Client 3.2.0-2.3 - Persistent Cross-Site Scripting

!/usr/bin/python ''' Author: loneferret of Offensive Security Product: T-dah Webmail Client Version: 3.2.0-2.3 Vendor Site: http://t-dahmail.sourceforge.net/index.php Software Download: http://sourceforge.net/projects/t-dahmail/ Contact: http://t-dahmail.sourceforge.net/forum/ Timeline: 29 May...

MailEnable ForgottenPassword.aspx Username Parameter XSS

The webmail client bundled with MailEnable is affected by a cross-site scripting vulnerability in the ForgottenPassword.aspx script. The 'Username' parameter fails to properly sanitize user- supplied input. Successful exploitation would allow an attacker to steal cookies used for webmail access...

JVN#21422837: Roundcube Webmail vulnerable to cross-site scripting

Roundcube Webmail is an open source webmail client from the Roundcube Webmail Project. Roundcube Webmail contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's Internet Explorer when viewing a specially crafted image file. Solution Update the...

CVE-2012-1920

@Mail WebMail Client in AtMail Open-Source 1.04 and earlier allows remote attackers to obtain configuration information via a direct request to install/info.php, which calls the phpinfo function...