Vulnerabilities > Roundcube > Webmail > 1.2.2
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-09 | CVE-2020-13964 | Cross-site Scripting vulnerability in multiple products An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. | 6.1 |
| 2020-05-04 | CVE-2020-12641 | OS Command Injection vulnerability in multiple products rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path. | 7.5 |
| 2020-05-04 | CVE-2020-12640 | Path Traversal vulnerability in multiple products Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php. | 7.5 |
| 2020-05-04 | CVE-2020-12626 | Cross-Site Request Forgery (CSRF) vulnerability in multiple products An issue was discovered in Roundcube Webmail before 1.4.4. | 4.3 |
| 2020-05-04 | CVE-2020-12625 | Cross-site Scripting vulnerability in multiple products An issue was discovered in Roundcube Webmail before 1.4.4. | 4.3 |
| 2019-08-20 | CVE-2019-15237 | Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks. | 7.4 |
| 2019-04-07 | CVE-2019-10740 | Cleartext Transmission of Sensitive Information vulnerability in multiple products In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. | 4.3 |
| 2018-11-12 | CVE-2018-19206 | Cross-site Scripting vulnerability in multiple products steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment. | 4.3 |
| 2018-11-12 | CVE-2018-19205 | Information Exposure vulnerability in Roundcube Webmail Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. | 5.0 |
| 2018-04-07 | CVE-2018-9846 | Improper Input Validation vulnerability in multiple products In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. | 8.8 |