rpm package
opensuse/roundcubemail&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/roundcubemail&distro=openSUSE%20Tumbleweed
Vulnerabilities (27)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-48849 | Med | 4.4 | < 1.6.16-2.1 | 1.6.16-2.1 | May 25, 2026 | In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes. | |
| CVE-2026-48848 | Hig | 7.2 | < 1.6.16-2.1 | 1.6.16-2.1 | May 25, 2026 | Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute. | |
| CVE-2026-48847 | Low | 3.7 | < 1.6.16-2.1 | 1.6.16-2.1 | May 25, 2026 | Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass. | |
| CVE-2026-48846 | Med | 6.5 | < 1.6.16-2.1 | 1.6.16-2.1 | May 25, 2026 | In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass. | |
| CVE-2026-48845 | Med | 6.5 | < 1.6.16-2.1 | 1.6.16-2.1 | May 25, 2026 | In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message. | |
| CVE-2026-48844 | Hig | 7.5 | < 1.6.16-2.1 | 1.6.16-2.1 | May 25, 2026 | Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.) | |
| CVE-2026-48843 | Hig | 7.2 | < 1.6.16-2.1 | 1.6.16-2.1 | May 25, 2026 | Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an | |
| CVE-2026-48842 | Hig | 8.1 | < 1.6.16-2.1 | 1.6.16-2.1 | May 25, 2026 | Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass. | |
| CVE-2024-42010 | Hig | 7.5 | < 1.6.8-1.1 | 1.6.8-1.1 | Aug 5, 2024 | mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information. | |
| CVE-2024-42009 | — | KEV | < 1.6.8-1.1 | 1.6.8-1.1 | Aug 5, 2024 | A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. | |
| CVE-2024-42008 | — | < 1.6.8-1.1 | 1.6.8-1.1 | Aug 5, 2024 | A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. | ||
| CVE-2023-47272 | — | < 1.6.5-1.1 | 1.6.5-1.1 | Nov 5, 2023 | Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). | ||
| CVE-2023-5631 | — | KEV | < 1.6.4-1.1 | 1.6.4-1.1 | Oct 18, 2023 | Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. | |
| CVE-2020-35730 | — | KEV | < 1.4.11-1.3 | 1.4.11-1.3 | Dec 28, 2020 | An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php. | |
| CVE-2020-16145 | — | < 1.4.11-1.3 | 1.4.11-1.3 | Aug 12, 2020 | Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15. | ||
| CVE-2020-12641 | — | KEV | < 1.4.11-1.3 | 1.4.11-1.3 | May 4, 2020 | rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. | |
| CVE-2019-10740 | — | < 1.4.11-1.3 | 1.4.11-1.3 | Apr 7, 2019 | In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can b | ||
| CVE-2018-9846 | Hig | 8.8 | < 1.4.11-1.3 | 1.4.11-1.3 | Apr 7, 2018 | In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection a | |
| CVE-2017-16651 | Hig | 7.8 | KEV | < 1.4.11-1.3 | 1.4.11-1.3 | Nov 9, 2017 | Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target sy |
| CVE-2017-8114 | Hig | 8.8 | < 1.4.11-1.3 | 1.4.11-1.3 | Apr 29, 2017 | Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin. |
- affected < 1.6.16-2.1fixed 1.6.16-2.1
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.
- affected < 1.6.16-2.1fixed 1.6.16-2.1
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element with the attributeName attribute.
- affected < 1.6.16-2.1fixed 1.6.16-2.1
Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.
- affected < 1.6.16-2.1fixed 1.6.16-2.1
In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information disclosure or access-control bypass.
- affected < 1.6.16-2.1fixed 1.6.16-2.1
In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information disclosure or privilege escalation via a text/html email message.
- affected < 1.6.16-2.1fixed 1.6.16-2.1
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been removed in 1.6.16 and 1.7.1.)
- affected < 1.6.16-2.1fixed 1.6.16-2.1
Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16,and 1.7.x before 1.7.1 has Insufficient Cascading Style Sheets (CSS) sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts. The issue stems from an
- affected < 1.6.16-2.1fixed 1.6.16-2.1
Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has Pre-authentication SQL injection in the virtuser_query plugin via a preg_replace() backslash escape bypass.
- affected < 1.6.8-1.1fixed 1.6.8-1.1
mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information.
- affected < 1.6.8-1.1fixed 1.6.8-1.1
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
- CVE-2024-42008Aug 5, 2024affected < 1.6.8-1.1fixed 1.6.8-1.1
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
- CVE-2023-47272Nov 5, 2023affected < 1.6.5-1.1fixed 1.6.5-1.1
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
- affected < 1.6.4-1.1fixed 1.6.4-1.1
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.
- affected < 1.4.11-1.3fixed 1.4.11-1.3
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
- CVE-2020-16145Aug 12, 2020affected < 1.4.11-1.3fixed 1.4.11-1.3
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
- affected < 1.4.11-1.3fixed 1.4.11-1.3
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
- CVE-2019-10740Apr 7, 2019affected < 1.4.11-1.3fixed 1.4.11-1.3
In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can b
- affected < 1.4.11-1.3fixed 1.4.11-1.3
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection a
- affected < 1.4.11-1.3fixed 1.4.11-1.3
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target sy
- affected < 1.4.11-1.3fixed 1.4.11-1.3
Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.
Page 1 of 2