Webmail Security Vulnerabilities and Issues — Webmail CVE List

Lucene search

RoundcubeWebmail

10 matches found

CVE•added 2017/11/09 2:29 p.m.•1058 views

CVE-2017-16651

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid u...

7.8CVSS7.2AI score0.30531EPSS

CVE•added 2017/05/23 4:29 a.m.•555 views

CVE-2015-5383

Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory.

7.5CVSS7.1AI score0.01804EPSS

CVE•added 2017/04/29 7:59 p.m.•93 views

CVE-2017-8114

Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.

8.8CVSS8.5AI score0.0156EPSS

CVE•added 2017/01/30 10:59 p.m.•61 views

CVE-2015-2180

The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password.

9CVSS8.9AI score0.02743EPSS

CVE•added 2017/04/13 2:59 p.m.•56 views

CVE-2015-8864

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.

6.1CVSS5.9AI score0.00729EPSS

CVE•added 2017/04/13 2:59 p.m.•56 views

CVE-2016-4068

6.1CVSS5.9AI score0.00729EPSS

CVE•added 2017/01/30 10:59 p.m.•55 views

CVE-2015-2181

Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username.

8.8CVSS8.9AI score0.00764EPSS

CVE•added 2017/05/23 4:29 a.m.•45 views

CVE-2015-5381

Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.

6.1CVSS6.1AI score0.02372EPSS

CVE•added 2017/03/12 5:59 a.m.•45 views

CVE-2017-6820

rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.

6.1CVSS5.7AI score0.00556EPSS

CVE•added 2017/05/23 4:29 a.m.•36 views

CVE-2015-5382

program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.

6.5CVSS6.5AI score0.01037EPSS