Webmail@1.4.0 Security Vulnerabilities and Issues — Webmail@1.4.0 CVE List

Lucene search

RoundcubeWebmail1.4.0

6 matches found

CVE•added 2020/05/04 3:15 p.m.•594 views

CVE-2020-12641

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

9.8CVSS9.5AI score0.93068EPSS

In wild

CVE•added 2020/06/09 3:15 a.m.•204 views

CVE-2020-13965

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.

6.3CVSS7AI score0.85203EPSS

In wildWeb

CVE•added 2020/05/04 3:15 p.m.•184 views

CVE-2020-12640

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.

9.8CVSS9.1AI score0.20084EPSS

CVE•added 2020/07/06 12:15 p.m.•170 views

CVE-2020-15562

An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.

6.1CVSS5.7AI score0.00861EPSS

CVE•added 2020/08/12 1:15 p.m.•159 views

CVE-2020-16145

Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.

6.1CVSS5.7AI score0.00704EPSS

CVE•added 2020/06/09 3:15 a.m.•78 views

CVE-2020-13964

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.

6.1CVSS7.1AI score0.00872EPSS