Vulnerabilities > Roundcube > Webmail

DATE CVE VULNERABILITY TITLE RISK
2024-08-05 CVE-2024-42008 Cross-site Scripting vulnerability in Roundcube Webmail
A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header.
network
low complexity
roundcube CWE-79
critical
9.3
2024-08-05 CVE-2024-42009 Cross-site Scripting vulnerability in Roundcube Webmail
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
network
low complexity
roundcube CWE-79
critical
9.3
2024-06-07 CVE-2024-37383 Cross-site Scripting vulnerability in multiple products
Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.
network
low complexity
roundcube debian CWE-79
6.1
2023-11-06 CVE-2023-47272 Cross-site Scripting vulnerability in multiple products
Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).
network
low complexity
roundcube fedoraproject debian CWE-79
6.1
2023-10-18 CVE-2023-5631 Cross-site Scripting vulnerability in multiple products
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior.
network
low complexity
roundcube debian fedoraproject CWE-79
5.4
2023-09-22 CVE-2023-43770 Cross-site Scripting vulnerability in multiple products
Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior.
network
low complexity
roundcube debian CWE-79
6.1
2021-11-19 CVE-2021-44025 Cross-site Scripting vulnerability in multiple products
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
network
low complexity
roundcube fedoraproject debian CWE-79
6.1
2021-11-19 CVE-2021-44026 SQL Injection vulnerability in multiple products
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
network
low complexity
roundcube fedoraproject debian CWE-89
critical
9.8
2021-06-24 CVE-2020-18670 Cross-site Scripting vulnerability in Roundcube Webmail 1.4.4
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.
network
low complexity
roundcube CWE-79
5.4
2021-06-24 CVE-2020-18671 Cross-site Scripting vulnerability in Roundcube Webmail
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.
network
low complexity
roundcube CWE-79
5.4