Vulnerabilities > Roundcube > Webmail > 1.2.7
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-11-12 | CVE-2018-19206 | Cross-site Scripting vulnerability in multiple products steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment. | 6.1 |
| 2018-11-12 | CVE-2018-19205 | Information Exposure vulnerability in Roundcube Webmail Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. | 7.5 |
| 2018-04-07 | CVE-2018-9846 | Improper Input Validation vulnerability in multiple products In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. | 8.8 |
| 2018-03-13 | CVE-2018-1000071 | Incorrect Permission Assignment for Critical Resource vulnerability in Roundcube Webmail roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. | 7.5 |