7 matches found
CVE-2015-5383
Summary: CVE-2015-5383 affects Roundcube Webmail 1.1.x before 1.1.2, where a remote attacker can read files from the config, temp, or logs directories to obtain sensitive information. The root cause is an information-disclosure path that allows unintended access to local files. The vulnerability ...
CVE-2015-8770
CVE-2015-8770 is a path traversal vulnerability in Roundcube’s skin handling. Specifically, the set_skin function in Roundcube’s rcmail_output_html.php (affected in versions prior to 1.0.8 and 1.1.x prior to 1.1.4) allows remote authenticated users with required permissions to read arbitrary file...
CVE-2016-4068
CVE-2016-4068 is an XSS vulnerability in Roundcube Webmail, affecting versions before 1.0.9 and 1.1.x before 1.1.5. An attacker can inject arbitrary script/HTML via a crafted SVG, enabling remote code execution in the context of the user’s browser. The issue stems from insufficient input validati...
CVE-2015-8864
CVE-2015-8864 is an XSS vulnerability in Roundcube Webmail, exploitable through a crafted SVG. Affected products are Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5. The issue allows remote attackers to inject arbitrary web script or HTML. The description explicitly notes this is a separate...
CVE-2015-5381
Summary: The CVE-2015-5381 entry affects Roundcube Webmail 1.1.x before 1.1.2, where a cross-site scripting (XSS) vulnerability exists in the file program/include/rcmail.php . A remote attacker can exploit this by supplying a crafted payload to the _mbox parameter at the default URI, enabling inj...
CVE-2015-8794
Roundcube Webmail contains an absolute path traversal vulnerability in program/steps/addressbook/photo.inc, affecting Roundcube before 1.0.6 and 1.1.x before 1.1.2. A remote authenticated user can read arbitrary files by supplying a full pathname in the _alt parameter during contact photo handlin...
CVE-2015-5382
The CVE-2015-5382 vulnerability affects Roundcube Webmail prior to 1.0.6 and 1.1.x prior to 1.1.2. Affected component: program/steps/addressbook/photo.inc. Root cause: information disclosure via the _alt parameter when uploading a vCard, allowing remote authenticated users to read arbitrary files...