Vulnerabilities > Roundcube > Webmail > 1.2.7

DATE CVE VULNERABILITY TITLE RISK
2018-11-12 CVE-2018-19206 Cross-site Scripting vulnerability in multiple products
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
network
low complexity
roundcube debian CWE-79
6.1
2018-11-12 CVE-2018-19205 Information Exposure vulnerability in Roundcube Webmail
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688.
network
low complexity
roundcube CWE-200
7.5
2018-04-07 CVE-2018-9846 Improper Input Validation vulnerability in multiple products
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence.
network
low complexity
roundcube debian CWE-20
8.8
2018-03-13 CVE-2018-1000071 Incorrect Permission Assignment for Critical Resource vulnerability in Roundcube Webmail
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key.
network
low complexity
roundcube CWE-732
7.5