ALT-PU-2019-3109-1
Closed vulnerabilities
BDU:2020-03977
Уязвимость веб-почты для IMAP-серверов на основе AJAX Roundcube, связанная с недостатками используемых мер по защите структур веб-страницы, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2020-03988
Уязвимость почтового клиента RoundCube Webmail, связанная с недостатками используемых мер по защите структур веб-страницы, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2020-03989
Уязвимость почтового клиента RoundCube Webmail, связанная с недостатками используемых мер по защите структур веб-страницы, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2020-04501
Уязвимость функции wash_uri (rcube_washtml.php) почтового клиента RoundCube Webmail, связанная с недостатками используемых мер по защите структур веб-страницы, позволяющая нарушителю нарушить целостность данных
BDU:2021-06259
Уязвимость почтового клиента Roundcube, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю выполнить произвольный SQL-код
Modified: 2024-11-21
CVE-2020-12640
Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.
- openSUSE-SU-2020:1516
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12640-PHP%20Local%20File%20Inclusion-Roundcube
- https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794
- https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.4
- https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10
- GLSA-202007-41
- openSUSE-SU-2020:1516
- GLSA-202007-41
- https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.4
- https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4
- https://github.com/roundcube/roundcubemail/commit/814eadb699e8576ce3a78f21e95bf69a7c7b3794
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12640-PHP%20Local%20File%20Inclusion-Roundcube
Modified: 2025-03-14
CVE-2020-12641
rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.
- openSUSE-SU-2020:1516
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12641-Command%20Injection-Roundcube
- https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3
- https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.4
- https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10
- GLSA-202007-41
- GLSA-202007-41
- https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.4
- https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4
- https://github.com/roundcube/roundcubemail/commit/fcfb099477f353373c34c8a65c9035b06b364db3
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12641-Command%20Injection-Roundcube
- openSUSE-SU-2020:1516
Modified: 2024-11-21
CVE-2020-13964
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.
- https://github.com/roundcube/roundcubemail/commit/37e2bc745723ef6322f0f785aefd0b9313a40f19
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.12
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.5
- FEDORA-2020-2a1a6a8432
- FEDORA-2020-aeffd92b77
- https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12
- DSA-4700
- https://github.com/roundcube/roundcubemail/commit/37e2bc745723ef6322f0f785aefd0b9313a40f19
- DSA-4700
- https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12
- FEDORA-2020-aeffd92b77
- FEDORA-2020-2a1a6a8432
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.5
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.12
Modified: 2025-02-13
CVE-2020-13965
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-13965-Cross%20Site-Scripting%20via%20Malicious%20XML%20Attachment-Roundcube
- https://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3
- https://github.com/roundcube/roundcubemail/compare/1.4.4...1.4.5
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.12
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.5
- FEDORA-2020-2a1a6a8432
- FEDORA-2020-aeffd92b77
- https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12
- DSA-4700
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-13965-Cross%20Site-Scripting%20via%20Malicious%20XML%20Attachment-Roundcube
- DSA-4700
- https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12
- FEDORA-2020-aeffd92b77
- FEDORA-2020-2a1a6a8432
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.5
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.12
- https://github.com/roundcube/roundcubemail/compare/1.4.4...1.4.5
- https://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3
Modified: 2024-11-21
CVE-2020-15562
An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.
- openSUSE-SU-2020:1516
- openSUSE-SU-2020:1516
- https://github.com/roundcube/roundcubemail/commit/3e8832d029b035e3fcfb4c75839567a9580b4f82
- https://github.com/roundcube/roundcubemail/commit/3e8832d029b035e3fcfb4c75839567a9580b4f82
- https://github.com/roundcube/roundcubemail/releases/tag/1.2.11
- https://github.com/roundcube/roundcubemail/releases/tag/1.2.11
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.14
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.7
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.7
- DSA-4720
- DSA-4720
Modified: 2024-11-21
CVE-2020-16145
Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.
- openSUSE-SU-2020:1516
- openSUSE-SU-2020:1516
- https://github.com/roundcube/roundcubemail/commit/a71bf2e8d4a64ff2c83fdabc1e8cb0c045a41ef4
- https://github.com/roundcube/roundcubemail/commit/a71bf2e8d4a64ff2c83fdabc1e8cb0c045a41ef4
- https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b#diff-d3bb3391c79904494c60ee2ac2f33070
- https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b#diff-d3bb3391c79904494c60ee2ac2f33070
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.15
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.15
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.8
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.8
- FEDORA-2020-d0f8f20cfc
- FEDORA-2020-d0f8f20cfc
- FEDORA-2020-b1e023936e
- FEDORA-2020-b1e023936e
Modified: 2024-11-21
CVE-2021-44025
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message.
- https://bugs.debian.org/1000156
- https://bugs.debian.org/1000156
- https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7
- https://github.com/roundcube/roundcubemail/commit/7d7b1dfeff795390b69905ceb63d6391b5b0dfe7
- https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a
- https://github.com/roundcube/roundcubemail/commit/faf99bf8a2b7b7562206fa047e8de652861e624a
- https://github.com/roundcube/roundcubemail/issues/8193
- https://github.com/roundcube/roundcubemail/issues/8193
- [debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update
- [debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update
- FEDORA-2021-43d3c10590
- FEDORA-2021-43d3c10590
- FEDORA-2021-167865df98
- FEDORA-2021-167865df98
- DSA-5013
- DSA-5013
Modified: 2025-03-14
CVE-2021-44026
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
- https://bugs.debian.org/1000156
- https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1
- https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa
- [debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update
- FEDORA-2021-43d3c10590
- FEDORA-2021-167865df98
- DSA-5013
- https://bugs.debian.org/1000156
- DSA-5013
- FEDORA-2021-167865df98
- FEDORA-2021-43d3c10590
- [debian-lts-announce] 20211206 [SECURITY] [DLA 2840-1] roundcube security update
- https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfa
- https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1