Webmail Security Vulnerabilities and Issues — Page 2 of Webmail CVE List

Lucene search

RoundcubeWebmail

68 matches found

CVE•added 2011/04/08 3:17 p.m.•44 views

CVE-2011-1491

The login form in Roundcube Webmail before 0.5.1 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then compose an e-m...

3.5CVSS5.6AI score0.0039EPSS

CVE•added 2013/02/24 9:55 p.m.•44 views

CVE-2012-6121

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers to inject arbitrary web script or HTML via a (1) data:text or (2) vbscript link.

4.3CVSS5.4AI score0.00407EPSS

CVE•added 2018/03/13 3:29 p.m.•44 views

CVE-2018-1000071

roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.

7.5CVSS7.4AI score0.00307EPSS

CVE•added 2008/12/17 2:30 a.m.•43 views

CVE-2008-5620

RoundCube Webmail (roundcubemail) before 0.2-beta allows remote attackers to cause a denial of service (memory consumption) via crafted size parameters that are used to create a large quota image.

7.8CVSS6.2AI score0.00568EPSS

CVE•added 2010/01/29 6:30 p.m.•43 views

CVE-2010-0464

Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.

5CVSS6.3AI score0.0026EPSS

CVE•added 2011/09/21 4:55 p.m.•43 views

CVE-2011-2937

Cross-site scripting (XSS) vulnerability in the UI messages functionality in Roundcube Webmail before 0.5.4 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.

4.3CVSS5.9AI score0.00665EPSS

CVE•added 2009/11/25 10:0 p.m.•42 views

CVE-2009-4076

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that modify user information via unspecified vectors, a different vulnerability than CVE-2009-4077.

6.8CVSS6.5AI score0.00212EPSS

CVE•added 2015/11/10 5:59 p.m.•42 views

CVE-2015-8105

Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload.

3.5CVSS6.3AI score0.0018EPSS

CVE•added 2005/12/20 2:3 a.m.•41 views

CVE-2005-4368

roundcube webmail Alpha, with a default high verbose level ($rcmail_config['debug_level'] = 1), allows remote attackers to obtain the full path of the application via an invalid_task parameter, which leaks the path in an error message.

5CVSS6.5AI score0.00346EPSS

CVE•added 2011/04/08 3:17 p.m.•40 views

CVE-2011-1492

steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is an expected request for an external Cascading Style Sheets (CSS) stylesheet, which allows remote authenticated users to trigger arbitrary outbound TCP connections from the server, and possibly obtain...

5.5CVSS6.2AI score0.0039EPSS

CVE•added 2012/08/25 10:29 a.m.•39 views

CVE-2012-4668

Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email.

4.3CVSS5.8AI score0.05064EPSS

CVE•added 2007/12/12 1:46 a.m.•38 views

CVE-2007-6321

Cross-site scripting (XSS) vulnerability in RoundCube webmail 0.1rc2, 2007-12-09, and earlier versions, when using Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via style sheets containing expression commands.

4.3CVSS5.4AI score0.07557EPSS

CVE•added 2009/11/25 10:0 p.m.•37 views

CVE-2009-4077

Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that send arbitrary emails via unspecified vectors, a different vulnerability than CVE-2009-4076.

6.8CVSS6.9AI score0.00212EPSS

CVE•added 2013/08/29 12:7 p.m.•37 views

CVE-2013-5645

Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject arbitrary web script or HTML via the body of a message visited in (1) new or (2) draft mode, related to compose.inc; and (3) might allow remote authenticated users to...

4.3CVSS5.2AI score0.00305EPSS

CVE•added 2017/05/23 4:29 a.m.•36 views

CVE-2015-5382

program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.

6.5CVSS6.5AI score0.01037EPSS

CVE•added 2016/12/20 10:59 p.m.•36 views

CVE-2016-4552

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the href attribute in an area tag in an e-mail message.

6.1CVSS6AI score0.00276EPSS

CVE•added 2012/06/04 3:55 p.m.•34 views

CVE-2012-1253

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via vectors involving an embedded image attachment.

2.6CVSS5.5AI score0.00254EPSS

CVE•added 2013/08/29 12:7 p.m.•31 views

CVE-2013-5646

Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated users to inject arbitrary web script or HTML via the Name field of an addressbook group.

3.5CVSS5.4AI score0.00159EPSS

Total number of security vulnerabilities68