CVE-2020-35730
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text...
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- December 27, 2020
- Published Date
- December 28, 2020
- Last Updated
- February 04, 2025
- Vendor
- n/a
- Product
- n/a
- Description
- An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
CVSS Scores
CVSS v3.1
6.1 - MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SSVC Information
- Exploitation
- active
- Technical Impact
- partial
Exploit Status
- Exploited in the Wild
- Yes (added 2023-06-22 00:00:00 UTC) Source
References
https://roundcube.net/download/
https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491
https://www.alexbirnberg.com/roundcube-xss.html
https://github.com/roundcube/roundcubemail/releases/tag/1.4.10
https://github.com/roundcube/roundcubemail/releases/tag/1.3.16
https://github.com/roundcube/roundcubemail/releases/tag/1.2.13
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2/
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| CISA | 2023-06-22 00:00:00 UTC |