Webmail Security Vulnerabilities and Issues — Webmail CVE List

Lucene search

RoundcubeWebmail

9 matches found

CVE•added 2021/06/24 7:15 p.m.•159 views

CVE-2020-18670

Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.

5.4CVSS5.6AI score0.00415EPSS

CVE•added 2021/06/24 7:15 p.m.•155 views

CVE-2020-18671

Cross Site Scripting (XSS) vulnerability in Roundcube Mail

5.4CVSS5.5AI score0.00386EPSS

CVE•added 2018/05/16 7:29 p.m.•83 views

CVE-2017-17688

The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. NOTE: third parties report that this is a problem in applications that mishandle the Modification Detection Code (MDC) feature or accept an obsolet...

5.9CVSS5.7AI score0.0165EPSS

CVE•added 2014/02/08 12:55 a.m.•60 views

CVE-2013-1904

Absolute path traversal vulnerability in steps/mail/sendmail.inc in Roundcube Webmail before 0.7.3 and 0.8.x before 0.8.6 allows remote attackers to read arbitrary files via a full pathname in the _value parameter for the generic_message_footer setting in a save-perf action to index.php, as exploit...

5CVSS6.5AI score0.00402EPSS

CVE•added 2021/02/09 9:15 a.m.•57 views

CVE-2021-26925

Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.

5.4CVSS5AI score0.00259EPSS

CVE•added 2011/11/03 3:55 p.m.•50 views

CVE-2011-4078

include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary URL, and cause a denial of service (resource consumption and inbox outage), via a Subject header containing only a URL, a related issue to CV...

5CVSS6.8AI score0.01085EPSS

CVE•added 2010/01/29 6:30 p.m.•43 views

CVE-2010-0464

Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.

5CVSS6.3AI score0.0026EPSS

CVE•added 2005/12/20 2:3 a.m.•41 views

CVE-2005-4368

roundcube webmail Alpha, with a default high verbose level ($rcmail_config['debug_level'] = 1), allows remote attackers to obtain the full path of the application via an invalid_task parameter, which leaks the path in an error message.

5CVSS6.5AI score0.00346EPSS

CVE•added 2011/04/08 3:17 p.m.•40 views

CVE-2011-1492

steps/utils/modcss.inc in Roundcube Webmail before 0.5.1 does not properly verify that a request is an expected request for an external Cascading Style Sheets (CSS) stylesheet, which allows remote authenticated users to trigger arbitrary outbound TCP connections from the server, and possibly obtain...

5.5CVSS6.2AI score0.0039EPSS