Vulnerabilities > Roundcube > Webmail > 1.2.3

DATE CVE VULNERABILITY TITLE RISK
2018-11-12 CVE-2018-19206 Cross-site Scripting vulnerability in multiple products
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
network
low complexity
roundcube debian CWE-79
6.1
2018-11-12 CVE-2018-19205 Information Exposure vulnerability in Roundcube Webmail
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688.
network
low complexity
roundcube CWE-200
7.5
2018-04-07 CVE-2018-9846 Improper Input Validation vulnerability in multiple products
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence.
network
low complexity
roundcube debian CWE-20
8.8
2018-03-13 CVE-2018-1000071 Incorrect Permission Assignment for Critical Resource vulnerability in Roundcube Webmail
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key.
network
low complexity
roundcube CWE-732
7.5
2017-11-09 CVE-2017-16651 Files or Directories Accessible to External Parties vulnerability in multiple products
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017.
local
low complexity
roundcube debian CWE-552
7.8
2017-04-29 CVE-2017-8114 Improper Privilege Management vulnerability in Roundcube Webmail
Roundcube Webmail allows arbitrary password resets by authenticated users.
network
low complexity
roundcube CWE-269
8.8
2017-03-12 CVE-2017-6820 Cross-site Scripting vulnerability in Roundcube Webmail
rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.
network
low complexity
roundcube CWE-79
6.1