Vulnerabilities > Roundcube > Webmail

DATE CVE VULNERABILITY TITLE RISK
2019-08-20 CVE-2019-15237 Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
network
low complexity
roundcube fedoraproject
7.4
2019-04-07 CVE-2019-10740 Cleartext Transmission of Sensitive Information vulnerability in multiple products
In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email.
network
low complexity
roundcube fedoraproject opensuse CWE-319
4.3
2018-11-12 CVE-2018-19206 Cross-site Scripting vulnerability in multiple products
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
network
low complexity
roundcube debian CWE-79
6.1
2018-11-12 CVE-2018-19205 Information Exposure vulnerability in Roundcube Webmail
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688.
network
low complexity
roundcube CWE-200
7.5
2018-05-16 CVE-2017-17688 The OpenPGP specification allows a Cipher Feedback Mode (CFB) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL. 5.9
2018-04-07 CVE-2018-9846 Improper Input Validation vulnerability in multiple products
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence.
network
low complexity
roundcube debian CWE-20
8.8
2018-03-13 CVE-2018-1000071 Incorrect Permission Assignment for Critical Resource vulnerability in Roundcube Webmail
roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key.
network
low complexity
roundcube CWE-732
7.5
2017-11-09 CVE-2017-16651 Files or Directories Accessible to External Parties vulnerability in multiple products
Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017.
local
low complexity
roundcube debian CWE-552
7.8
2017-05-23 CVE-2015-5383 Information Exposure vulnerability in Roundcube Webmail and Webmail
Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory.
network
low complexity
roundcube CWE-200
7.5
2017-05-23 CVE-2015-5382 Information Exposure vulnerability in Roundcube Webmail and Webmail
program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.
network
low complexity
roundcube CWE-200
6.5