Bitnami package

roundcube

pkg:bitnami/roundcube

Vulnerabilities (17)

CVE	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2023-47272	—		>= 1.5.0, < 1.5.6	1.5.6	Nov 5, 2023	Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
CVE-2023-5631	—	KEV	< 1.4.15	1.4.15	Oct 18, 2023	Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.
CVE-2023-43770	—	KEV	< 1.4.14	1.4.14	Sep 22, 2023	Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
CVE-2021-44025	—		< 1.3.17	1.3.17	Nov 19, 2021	Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
CVE-2021-44026	—	KEV	< 1.3.17	1.3.17	Nov 19, 2021	Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
CVE-2020-18671	—		< 1.4.4	1.4.4	Jun 24, 2021	Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.
CVE-2020-18670	—		>= 1.4.4, <= 1.4.4	—	Jun 24, 2021	Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.
CVE-2021-26925	—		< 1.4.11	1.4.11	Feb 9, 2021	Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
CVE-2020-35730	—	KEV	< 1.2.13	1.2.13	Dec 28, 2020	An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
CVE-2020-16145	—		< 1.3.15	1.3.15	Aug 12, 2020	Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
CVE-2020-15562	—		< 1.2.11	1.2.11	Jul 6, 2020	An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exist
CVE-2020-13964	—		< 1.3.12	1.3.12	Jun 9, 2020	An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.
CVE-2020-13965	—	KEV	< 1.3.12	1.3.12	Jun 9, 2020	An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
CVE-2020-12640	—		>= 1.2.0, < 1.2.10	1.2.10	May 4, 2020	Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
CVE-2020-12641	—	KEV	>= 1.2.0, < 1.2.10	1.2.10	May 4, 2020	rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
CVE-2020-12625	—		< 1.4.4	1.4.4	May 4, 2020	An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.
CVE-2020-12626	—		< 1.4.4	1.4.4	May 4, 2020	An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.

CVE-2023-47272Nov 5, 2023
affected >= 1.5.0, < 1.5.6fixed 1.5.6
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
CVE-2023-5631KEVOct 18, 2023
affected < 1.4.15fixed 1.4.15
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.
CVE-2023-43770KEVSep 22, 2023
affected < 1.4.14fixed 1.4.14
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
CVE-2021-44025Nov 19, 2021
affected < 1.3.17fixed 1.3.17
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
CVE-2021-44026KEVNov 19, 2021
affected < 1.3.17fixed 1.3.17
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
CVE-2020-18671Jun 24, 2021
affected < 1.4.4fixed 1.4.4
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.
CVE-2020-18670Jun 24, 2021
affected >= 1.4.4, <= 1.4.4
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.
CVE-2021-26925Feb 9, 2021
affected < 1.4.11fixed 1.4.11
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
CVE-2020-35730KEVDec 28, 2020
affected < 1.2.13fixed 1.2.13
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
CVE-2020-16145Aug 12, 2020
affected < 1.3.15fixed 1.3.15
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
CVE-2020-15562Jul 6, 2020
affected < 1.2.11fixed 1.2.11
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exist
CVE-2020-13964Jun 9, 2020
affected < 1.3.12fixed 1.3.12
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.
CVE-2020-13965KEVJun 9, 2020
affected < 1.3.12fixed 1.3.12
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
CVE-2020-12640May 4, 2020
affected >= 1.2.0, < 1.2.10fixed 1.2.10
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
CVE-2020-12641KEVMay 4, 2020
affected >= 1.2.0, < 1.2.10fixed 1.2.10
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
CVE-2020-12625May 4, 2020
affected < 1.4.4fixed 1.4.4
An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.
CVE-2020-12626May 4, 2020
affected < 1.4.4fixed 1.4.4
An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.