Vulnerabilities > Roundcube > Webmail
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-08-05 | CVE-2024-42008 | Cross-site Scripting vulnerability in Roundcube Webmail A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. | 9.3 |
2024-08-05 | CVE-2024-42009 | Cross-site Scripting vulnerability in Roundcube Webmail A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php. | 9.3 |
2024-06-07 | CVE-2024-37383 | Cross-site Scripting vulnerability in multiple products Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. | 6.1 |
2023-11-06 | CVE-2023-47272 | Cross-site Scripting vulnerability in multiple products Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). | 6.1 |
2023-10-18 | CVE-2023-5631 | Cross-site Scripting vulnerability in multiple products Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. | 5.4 |
2023-09-22 | CVE-2023-43770 | Cross-site Scripting vulnerability in multiple products Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. | 6.1 |
2021-11-19 | CVE-2021-44025 | Cross-site Scripting vulnerability in multiple products Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message. | 6.1 |
2021-11-19 | CVE-2021-44026 | SQL Injection vulnerability in multiple products Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params. | 9.8 |
2021-06-24 | CVE-2020-18670 | Cross-site Scripting vulnerability in Roundcube Webmail 1.4.4 Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. | 5.4 |
2021-06-24 | CVE-2020-18671 | Cross-site Scripting vulnerability in Roundcube Webmail Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. | 5.4 |