Vulnerabilities > Roundcube > Webmail > 1.1
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-03-13 | CVE-2018-1000071 | Incorrect Permission Assignment for Critical Resource vulnerability in Roundcube Webmail roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. | 7.5 |
| 2017-11-09 | CVE-2017-16651 | Files or Directories Accessible to External Parties vulnerability in multiple products Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. | 7.8 |
| 2017-05-23 | CVE-2015-5383 | Information Exposure vulnerability in Roundcube Webmail and Webmail Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory. | 7.5 |
| 2017-05-23 | CVE-2015-5382 | Information Exposure vulnerability in Roundcube Webmail and Webmail program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard. | 6.5 |
| 2017-05-23 | CVE-2015-5381 | Cross-site Scripting vulnerability in Roundcube Webmail and Webmail Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI. | 6.1 |
| 2017-04-13 | CVE-2016-4068 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864. | 6.1 |
| 2017-04-13 | CVE-2015-8864 | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068. | 6.1 |
| 2017-03-12 | CVE-2017-6820 | Cross-site Scripting vulnerability in Roundcube Webmail rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. | 6.1 |
| 2017-01-30 | CVE-2015-2181 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Roundcube Webmail Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username. | 8.8 |
| 2017-01-30 | CVE-2015-2180 | Injection vulnerability in Roundcube Webmail The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password. | 8.8 |