81 matches found
CVE-2017-6820
CVE-2017-6820 affects Roundcube’s webmail software via rcube_utils.php. The vulnerability is a cross-site scripting (XSS) flaw caused by a crafted CSS token sequence inside an SVG element, impacting Roundcube versions before 1.1.8 and 1.2.x before 1.2.4. Exploitation details indicate a remote att...
CVE-2018-1000071
Roundcube Webmail
CVE-2010-0464
CVE-2010-0464 affects Roundcube 0.3.1 and earlier, where the browser is not instructed to avoid DNS prefetching for domain names in email messages, enabling remote attackers to infer the user’s network location by DNS requests. Public references include Fedora backport and Debian backports adviso...
CVE-2012-6121
CVE-2012-6121 is a cross-site scripting (XSS) vulnerability in Roundcube Webmail prior to 0.8.5. An attacker can inject arbitrary script/html via data:text or vbscript links, potentially affecting users who click such links. The issue is documented in multiple connected sources (e.g., SUSE securi...
CVE-2015-5381
Summary: The CVE-2015-5381 entry affects Roundcube Webmail 1.1.x before 1.1.2, where a cross-site scripting (XSS) vulnerability exists in the file program/include/rcmail.php . A remote attacker can exploit this by supplying a crafted payload to the _mbox parameter at the default URI, enabling inj...
CVE-2015-8793
The CVE refers to a Cross-site scripting (XSS) vulnerability in Roundcube Webmail affecting the file program/include/rcmail.php, specifically in versions before 1.0.6 and 1.1.x before 1.1.2. The underlying issue is an XSS vector via the _mbox parameter in a mail task to the default URL, enabling ...
CVE-2005-4368
CVE-2005-4368 affects Roundcube Webmail Alpha. When rcube_config['debug_level'] is set to 1 (default high verbose), an attacker can trigger an invalid_task to cause an error message that discloses the full application path. The available connected documents confirm the vulnerability description a...
CVE-2009-4076
CVE-2009-4076 is a CSRF vulnerability in Roundcube Webmail 0.2.2 and earlier that could allow remote attackers to hijack a user’s authentication for requests that modify user information. Connected documents indicate a remediation: Fedora 10 security advisory MDVSA-2010:015 fixes CVE-2009-4076 (a...
CVE-2011-1491
CVE-2011-1491 affects Roundcube Webmail prior to 0.5.1. The issue is in the login form: an authenticated-but-unintended login sequence can be exploited to obtain sensitive information when a victim logs into the attacker’s account and composes an email, effectively a login CSRF vulnerability. Con...
CVE-2015-8105
CVE-2015-8105 affects Roundcube webmail, specifically the vulnerable component is program/js/app.js. The XSS flaw arises in the drag-and-drop file upload via the filename field, impacting Roundcube versions before 1.0.7 and 1.1.x before 1.1.3. Exploitation requires remote authenticated access, en...
CVE-2008-5620
CVE-2008-5620 affects RoundCube Webmail (roundcubemail) prior to 0.2-beta. The vulnerability allows remote attackers to cause a denial of service via crafted size parameters used to generate a quota image, leading to memory consumption. Public references in the initial entry point to a DoS scenar...
CVE-2011-1492
CVE-2011-1492 affects Roundcube Webmail prior to 0.5.1. The issue is in steps/utils/modcss.inc, where requests for an external CSS stylesheet are not properly verified, allowing remote authenticated users to trigger arbitrary outbound TCP connections from the server and potentially obtain sensiti...
CVE-2015-5382
The CVE-2015-5382 vulnerability affects Roundcube Webmail prior to 1.0.6 and 1.1.x prior to 1.1.2. Affected component: program/steps/addressbook/photo.inc. Root cause: information disclosure via the _alt parameter when uploading a vCard, allowing remote authenticated users to read arbitrary files...
CVE-2016-4552
CVE-2016-4552 affects Roundcube Webmail prior to 1.2.0. The vulnerability is a cross-site scripting (XSS) flaw that allows an attacker to inject arbitrary web script or HTML via the href attribute in an area tag within an e-mail message. Public references consistently describe it as a remote XSS ...
CVE-2007-6321
The CVE-2007-6321 issue affects Roundcube webmail (0.1rc2 and earlier) where IE could execute XSS via style sheets containing expression commands. Connected OpenVAS/Nessus entries reference Fedora updates (FEDORA-2008-5333/5342/5315) that include XSS fixes for roundcubemail, indicating a patch-ba...
CVE-2012-4668
CVE-2012-4668 affects Roundcube Webmail (versions 0.8.1 and earlier). The vulnerability is a cross-site scripting (XSS) flaw that allows remote attackers to inject arbitrary script or HTML via the email signature field. The root cause is insufficient sanitization/exposure of the email signature i...
CVE-2009-4077
CVE-2009-4077 : Cross-site request forgery (CSRF) in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack authentication of unspecified users for requests that send arbitrary emails via unspecified vectors. The issue affects Roundcube Webmail up to version 0.2.2; Fedora advisorie...
CVE-2013-5645
CVE-2013-5645 pertains to multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before version 0.9.3. The issues allow user-assisted remote attackers to inject arbitrary script/HTML via the body of a message viewed in new or draft mode (compose.inc) and may also enable injectio...
CVE-2012-1253
CVE-2012-1253 is an XSS vulnerability in Roundcube Webmail before 0.7 where Internet Explorer handles an embedded image attachment; remote attackers could inject script or HTML. NVD lists a low base score (2.6, AV:N/AC:H/Au:N/I:P/A:N). Fedora/OpenVAS entries indicate Fedora advisories for roundcu...
CVE-2013-5646
Roundcube webmail 1.0-git is affected by a cross-site scripting (XSS) vulnerability that allows remote authenticated users to inject arbitrary web script or HTML through the Name field of an addressbook group. The linked sources consistently describe XSS in this component/version, but do not prov...
CVE-2026-35537
The CVE-2026-35537 vulnerability affects Roundcube Webmail prior to 1.5.14 and 1.6.14, where unsafe deserialization in the redis/memcache session handler can allow unauthenticated attackers to perform arbitrary file writes via crafted session data. Several advisories confirm this issue and refere...
CVE-2025-68460
Roundcube Webmail is vulnerable to information disclosure in the HTML style sanitizer for releases before 1.5.12 and 1.6.x before 1.6.12. Multiple advisories (Debian DSA-6087, DLA-4415-1; Fedora packages roundcubemail 1.6.12; EUVD-2025-204036; NVD entry CVE-2025-68460) confirm the issue and point...
CVE-2026-35541
Roundcube Webmail is affected in versions prior to 1.5.14 and 1.6.14 due to an incorrect password comparison in the password plugin, which can cause a type confusion and allow changing a password without the old one. Mitigation: upgrade to the patched releases (1.5.14 or 1.6.14); refer to the ass...
CVE-2026-54433
CVE-2026-54433 affects Roundcube Webmail prior to 1.6.17 and 1.7.x prior to 1.7.2. It is a Stored XSS vulnerability that allows attacker-controlled JavaScript to execute within the victim’s authenticated session simply by opening or previewing a crafted plain-text email (zero-click). Fedora advis...
CVE-2026-35545
The CVE-2026-35545 vulnerability affects Roundcube Webmail prior to 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed by SVG content in emails via animate element with attributeName=fill, filter, or stroke, enabling information disclosure or access-control bypass. Fedora/Debian...
CVE-2026-35540
Summary: CVE-2026-35540 affects Roundcube Webmail 1.6.0 through before 1.6.14. The issue is insufficient CSS sanitization in HTML e‑mail messages, which may allow SSRF or Information Disclosure when stylesheet links resolve to local network hosts. What’s affected: Roundcube Webmail (version linea...
CVE-2026-35538
This CVE affects Roundcube Webmail prior to 1.5.14 and prior to 1.6.14. The issue is unsanitized IMAP SEARCH arguments that can lead to IMAP injection or CSRF bypass during mail search. The connected sources indicate fixed releases: Roundcube 1.5.14 and 1.6.14 (and related security updates), so u...
CVE-2026-35544
CVE-2026-35544 affects Roundcube Webmail before 1.5.14 and 1.6.14. The issue is insufficient CSS sanitization in HTML emails, which may allow a fixed-position mitigation bypass via the use of !important. CVSS v3.1 base score 5.3 (Network, Low complexity, No privileges, No user interaction). The d...
CVE-2026-35543
The CVE affects Roundcube Webmail versions before 1.5.14 and 1.6.14. The issue allows bypassing the remote image blocking feature via SVG content (with animate attributes) in an e-mail message, which can lead to information disclosure or an access-control bypass. Remediation details documented in...
CVE-2026-35539
CVE-2026-35539 affects Roundcube Webmail prior to 1.5.14 and 1.6.14. The issue is an XSS vulnerability caused by insufficient HTML attachment sanitization in preview mode; a user must preview a text/html attachment for exploitation. The vulnerability is limited to scenarios where a victim preview...
CVE-2026-35542
CVE-2026-35542 affects Roundcube Webmail prior to 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed by a crafted background attribute of a BODY element in an email, potentially leading to information disclosure or an access-control bypass. No exploitation details are provided i...