Medium severity6.1NVD Advisory· Published Mar 12, 2017· Updated May 13, 2026

CVE-2017-6820

Description

rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.

Affected products

Roundcube/Webmail5 versions
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*range: <=1.1.7
- cpe:2.3:a:roundcube:webmail:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:1.2.3:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4nvdIssue TrackingPatchThird Party Advisory
github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305nvdIssue TrackingPatchThird Party Advisory
github.com/roundcube/roundcubemail/releases/tag/1.1.8nvdPatchRelease NotesThird Party Advisory
github.com/roundcube/roundcubemail/releases/tag/1.2.4nvdPatchRelease NotesThird Party Advisory
roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-releasednvdRelease NotesVendor Advisory
www.securityfocus.com/bid/96817nvd

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000