Vulnerabilities > Roundcube > Webmail > 1.0.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-04-13 | CVE-2016-4068 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864. | 4.3 |
| 2017-04-13 | CVE-2015-8864 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068. | 4.3 |
| 2017-03-12 | CVE-2017-6820 | Cross-site Scripting vulnerability in Roundcube Webmail rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. | 4.3 |
| 2017-01-30 | CVE-2015-2181 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Roundcube Webmail Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username. | 6.5 |
| 2016-12-08 | CVE-2016-9920 | Improper Access Control vulnerability in Roundcube Webmail steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message. | 6.0 |
| 2016-08-25 | CVE-2016-4069 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors. | 6.8 |
| 2016-01-29 | CVE-2015-8793 | Cross-site Scripting vulnerability in Roundcube Webmail Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than CVE-2011-2937. | 4.3 |
| 2015-11-10 | CVE-2015-8105 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload. | 3.5 |
| 2015-02-03 | CVE-2015-1433 | Cross-site Scripting vulnerability in multiple products program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email. | 4.3 |
| 2015-01-15 | CVE-2014-9587 | Cross-Site Request Forgery (CSRF) vulnerability in Roundcube Webmail Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins. | 6.8 |