ALT-PU-2016-1365-1
Closed vulnerabilities
Published: 2017-04-13
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2015-8864
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.
Severity: MEDIUM (6.1)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
- openSUSE-SU-2016:2108
- openSUSE-SU-2016:2108
- openSUSE-SU-2016:2109
- openSUSE-SU-2016:2109
- openSUSE-SU-2016:2127
- openSUSE-SU-2016:2127
- https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18
- https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18
- https://github.com/roundcube/roundcubemail/issues/4949
- https://github.com/roundcube/roundcubemail/issues/4949
- https://github.com/roundcube/roundcubemail/releases/tag/1.0.9
- https://github.com/roundcube/roundcubemail/releases/tag/1.0.9
- https://github.com/roundcube/roundcubemail/releases/tag/1.1.5
- https://github.com/roundcube/roundcubemail/releases/tag/1.1.5
- https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115
- https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115
Published: 2017-04-13
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2016-4068
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.
Severity: MEDIUM (6.1)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
- openSUSE-SU-2016:2108
- openSUSE-SU-2016:2108
- openSUSE-SU-2016:2109
- openSUSE-SU-2016:2109
- openSUSE-SU-2016:2127
- openSUSE-SU-2016:2127
- https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218
- https://github.com/roundcube/roundcubemail/commit/40d7342dd9c9bd2a1d613edc848ed95a4d71aa18#commitcomment-15294218
- https://github.com/roundcube/roundcubemail/issues/4949
- https://github.com/roundcube/roundcubemail/issues/4949
- https://github.com/roundcube/roundcubemail/releases/tag/1.0.9
- https://github.com/roundcube/roundcubemail/releases/tag/1.0.9
- https://github.com/roundcube/roundcubemail/releases/tag/1.1.5
- https://github.com/roundcube/roundcubemail/releases/tag/1.1.5
- https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115
- https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115
Published: 2016-08-25
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2016-4069
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors.
Severity: HIGH (8.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- openSUSE-SU-2016:2109
- openSUSE-SU-2016:2109
- [oss-security] 20160423 Re: CVE Request: Roundcube: XSS issue in SVG image handling and protection for download urs against CSRF
- [oss-security] 20160423 Re: CVE Request: Roundcube: XSS issue in SVG image handling and protection for download urs against CSRF
- 92654
- 92654
- https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5
- https://github.com/roundcube/roundcubemail/commit/4a408843b0ef816daf70a472a02b78cd6073a4d5
- https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53
- https://github.com/roundcube/roundcubemail/commit/699af1e5206ed9114322adaa3c25c1c969640a53
- https://github.com/roundcube/roundcubemail/issues/4957
- https://github.com/roundcube/roundcubemail/issues/4957
- https://github.com/roundcube/roundcubemail/releases/tag/1.1.5
- https://github.com/roundcube/roundcubemail/releases/tag/1.1.5
- https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115
- https://github.com/roundcube/roundcubemail/wiki/Changelog#release-115