Unrated severityCISA KEVNVD Advisory· Published Dec 28, 2020· Updated Oct 21, 2025
CVE-2020-35730
CVE-2020-35730
Description
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
Affected products
1- Roundcube/Roundcube Webmaildescription
Patches
354bf3d0d1acbRequire roundcube/plugin-installer 0.2.0
1 file changed · +1 −1
composer.json-dist+1 −1 modified@@ -22,7 +22,7 @@ "pear/net_smtp": "~1.7.1", "pear/crypt_gpg": "~1.6.3", "pear/net_sieve": "~1.4.0", - "roundcube/plugin-installer": "~0.1.6", + "roundcube/plugin-installer": "~0.2.0", "endroid/qr-code": "~1.6.5" }, "require-dev": {
9b69cce641a8Update changelog
1 file changed · +2 −0
CHANGELOG+2 −0 modified@@ -1,6 +1,8 @@ CHANGELOG Roundcube Webmail =========================== +RELEASE 1.2.13 +-------------- - Security: Fix cross-site scripting (XSS) via HTML or Plain text messages with malicious content [CVE-2020-35730] RELEASE 1.2.12
4efec49a46a3Bump version to 1.4.10
6 files changed · +7 −5
CHANGELOG+2 −0 modified@@ -1,6 +1,8 @@ CHANGELOG Roundcube Webmail =========================== +RELEASE 1.4.10 +-------------- - Fix extra angle brackets in In-Reply-To header derived from mailto: params (#7655) - Fix folder list issue whan special folder is a subfolder (#7647) - Fix Elastic's folder subscription toggle in search result (#7653)
index.php+1 −1 modified@@ -2,7 +2,7 @@ /** +-------------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | - | Version 1.4.9 | + | Version 1.4.10 | | | | Copyright (C) The Roundcube Dev Team | | |
installer/index.php+1 −1 modified@@ -3,7 +3,7 @@ /** +-------------------------------------------------------------------------+ | Roundcube Webmail setup tool | - | Version 1.4.9 | + | Version 1.4.10 | | | | Copyright (C) The Roundcube Dev Team | | |
program/include/iniset.php+1 −1 modified@@ -20,7 +20,7 @@ */ // application constants -define('RCMAIL_VERSION', '1.4.9'); +define('RCMAIL_VERSION', '1.4.10'); define('RCMAIL_START', microtime(true)); if (!defined('INSTALL_PATH')) {
program/lib/Roundcube/bootstrap.php+1 −1 modified@@ -58,7 +58,7 @@ } // framework constants -define('RCUBE_VERSION', '1.4.9'); +define('RCUBE_VERSION', '1.4.10'); define('RCUBE_CHARSET', 'UTF-8'); define('RCUBE_TEMP_FILE_PREFIX', 'RCMTEMP');
public_html/index.php+1 −1 modified@@ -3,7 +3,7 @@ /* +-----------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | - | Version 1.4.9 | + | Version 1.4.10 | | | | Copyright (C) The Roundcube Dev Team | | |
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q/mitrevendor-advisoryx_refsource_FEDORA
- bugs.debian.org/cgi-bin/bugreport.cgimitrex_refsource_CONFIRM
- github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10mitrex_refsource_CONFIRM
- github.com/roundcube/roundcubemail/releases/tag/1.2.13mitrex_refsource_CONFIRM
- github.com/roundcube/roundcubemail/releases/tag/1.3.16mitrex_refsource_CONFIRM
- github.com/roundcube/roundcubemail/releases/tag/1.4.10mitrex_refsource_CONFIRM
- roundcube.net/download/mitrex_refsource_MISC
- www.alexbirnberg.com/roundcube-xss.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.