rpm package
suse/roundcubemail&distro=SUSE Package Hub 15 SP5
pkg:rpm/suse/roundcubemail&distro=SUSE%20Package%20Hub%2015%20SP5
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-42010 | Hig | 7.5 | < 1.6.8-bp156.2.3.1 | 1.6.8-bp156.2.3.1 | Aug 5, 2024 | mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information. | |
| CVE-2024-42009 | — | KEV | < 1.6.8-bp156.2.3.1 | 1.6.8-bp156.2.3.1 | Aug 5, 2024 | A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. | |
| CVE-2024-42008 | — | < 1.6.8-bp156.2.3.1 | 1.6.8-bp156.2.3.1 | Aug 5, 2024 | A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. | ||
| CVE-2023-47272 | — | < 1.6.7-bp155.2.9.1 | 1.6.7-bp155.2.9.1 | Nov 5, 2023 | Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). | ||
| CVE-2023-5631 | — | KEV | < 1.6.4-bp155.2.6.1 | 1.6.4-bp155.2.6.1 | Oct 18, 2023 | Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code. |
- affected < 1.6.8-bp156.2.3.1fixed 1.6.8-bp156.2.3.1
mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information.
- affected < 1.6.8-bp156.2.3.1fixed 1.6.8-bp156.2.3.1
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
- CVE-2024-42008Aug 5, 2024affected < 1.6.8-bp156.2.3.1fixed 1.6.8-bp156.2.3.1
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
- CVE-2023-47272Nov 5, 2023affected < 1.6.7-bp155.2.9.1fixed 1.6.7-bp155.2.9.1
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
- affected < 1.6.4-bp155.2.6.1fixed 1.6.4-bp155.2.6.1
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. This could allow a remote attacker to load arbitrary JavaScript code.