Filtered by vendor Roundcube
Subscriptions
Filtered by product Webmail
Subscriptions
Total
65 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2015-8864 | 2 Opensuse, Roundcube | 4 Leap, Opensuse, Roundcube Webmail and 1 more | 2025-04-20 | N/A |
| Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068. | ||||
| CVE-2015-5381 | 1 Roundcube | 2 Roundcube Webmail, Webmail | 2025-04-20 | N/A |
| Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI. | ||||
| CVE-2017-16651 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2025-04-20 | 7.8 High |
| Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session. The issue is related to file-based attachment plugins and _task=settings&_action=upload-display&_from=timezone requests. | ||||
| CVE-2017-8114 | 1 Roundcube | 1 Webmail | 2025-04-20 | 8.8 High |
| Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin. | ||||
| CVE-2017-6820 | 1 Roundcube | 1 Webmail | 2025-04-20 | N/A |
| rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element. | ||||
| CVE-2015-2181 | 1 Roundcube | 1 Webmail | 2025-04-20 | N/A |
| Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username. | ||||
| CVE-2015-5382 | 1 Roundcube | 2 Roundcube Webmail, Webmail | 2025-04-20 | N/A |
| program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard. | ||||
| CVE-2015-5383 | 1 Roundcube | 2 Roundcube Webmail, Webmail | 2025-04-20 | N/A |
| Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory. | ||||
| CVE-2015-2180 | 1 Roundcube | 1 Webmail | 2025-04-20 | N/A |
| The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password. | ||||
| CVE-2016-4068 | 2 Opensuse, Roundcube | 4 Leap, Opensuse, Roundcube Webmail and 1 more | 2025-04-20 | N/A |
| Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864. | ||||
| CVE-2015-1433 | 3 Fedoraproject, Opensuse, Roundcube | 3 Fedora, Opensuse, Webmail | 2025-04-12 | N/A |
| program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email. | ||||
| CVE-2014-9587 | 1 Roundcube | 1 Webmail | 2025-04-12 | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins. | ||||
| CVE-2016-4069 | 2 Opensuse, Roundcube | 2 Leap, Webmail | 2025-04-12 | N/A |
| Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors. | ||||
| CVE-2016-4552 | 1 Roundcube | 1 Webmail | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the href attribute in an area tag in an e-mail message. | ||||
| CVE-2015-8105 | 2 Opensuse, Roundcube | 2 Opensuse, Webmail | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload. | ||||
| CVE-2015-8793 | 1 Roundcube | 1 Webmail | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than CVE-2011-2937. | ||||
| CVE-2016-9920 | 1 Roundcube | 1 Webmail | 2025-04-12 | N/A |
| steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message. | ||||
| CVE-2012-4668 | 1 Roundcube | 1 Webmail | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email. | ||||
| CVE-2012-3508 | 1 Roundcube | 1 Webmail | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email. | ||||
| CVE-2012-3507 | 1 Roundcube | 1 Webmail | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry skin, allows remote attackers to inject arbitrary web script or HTML via the email message subject. | ||||