Vulnerabilities > Roundcube > Webmail > 0.9.4

DATE CVE VULNERABILITY TITLE RISK
2018-03-13 CVE-2018-1000071 Incorrect Permission Assignment for Critical Resource vulnerability in Roundcube Webmail
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key.
network
low complexity
roundcube CWE-732
7.5
2017-11-09 CVE-2017-16651 Files or Directories Accessible to External Parties vulnerability in multiple products
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017.
local
low complexity
roundcube debian CWE-552
7.8
2017-04-29 CVE-2017-8114 Improper Privilege Management vulnerability in Roundcube Webmail
Roundcube Webmail allows arbitrary password resets by authenticated users.
network
low complexity
roundcube CWE-269
8.8
2017-04-13 CVE-2016-4068 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.
network
low complexity
opensuse roundcube CWE-79
6.1
2017-04-13 CVE-2015-8864 Cross-site Scripting vulnerability in multiple products
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.
network
low complexity
opensuse roundcube CWE-79
6.1
2017-03-12 CVE-2017-6820 Cross-site Scripting vulnerability in Roundcube Webmail
rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.
network
low complexity
roundcube CWE-79
6.1
2017-01-30 CVE-2015-2181 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Roundcube Webmail
Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username.
network
low complexity
roundcube CWE-119
8.8
2016-12-08 CVE-2016-9920 Improper Access Control vulnerability in Roundcube Webmail
steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.
network
high complexity
roundcube CWE-284
7.5
2016-08-25 CVE-2016-4069 Cross-Site Request Forgery (CSRF) vulnerability in multiple products
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors.
network
low complexity
opensuse roundcube CWE-352
8.8
2016-01-29 CVE-2015-8793 Cross-site Scripting vulnerability in Roundcube Webmail
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than CVE-2011-2937.
network
low complexity
roundcube CWE-79
6.1