CVE-2010-0464
published 2010-01-29CVE-2010-0464: Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for…
PriorityP423medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
1.96%
77.8th percentile
Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 0.3.1-3 (bookworm) | roundcube 0.3.1-3 (bookworm) |
| roundcube | webmail | <= 0.3.1 | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Roundcube webmail up to 0.3.1 information disclosure (Nessus ID 47254 / SBV-25308)
vuldb·2026-04-29·CVSS 5.0
CVE-2010-0464 [MEDIUM] Roundcube webmail up to 0.3.1 information disclosure (Nessus ID 47254 / SBV-25308)
A vulnerability identified as problematic has been detected in Roundcube webmail up to 0.3.1. Affected by this vulnerability is an unknown functionality. Performing a manipulation results in information disclosure.
This vulnerability is identified as CVE-2010-0464. The attack can be initiated remotely. There is not any exploit available.
GHSA
GHSA-q33h-xmcx-jm3h: Roundcube 0
ghsa_unreviewed·2022-05-02
CVE-2010-0464 [MEDIUM] CWE-200 GHSA-q33h-xmcx-jm3h: Roundcube 0
Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.
OSV
CVE-2010-0464: Roundcube 0
osv·2010-01-29·CVSS 5.0
CVE-2010-0464 [MEDIUM] CVE-2010-0464: Roundcube 0
Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.
Red Hat
roundcubemail: privacy compromise via DNS prefetching in web mail
vendor_redhat·2010-01-23·CVSS 5.0
CVE-2010-0464 [MEDIUM] roundcubemail: privacy compromise via DNS prefetching in web mail
roundcubemail: privacy compromise via DNS prefetching in web mail
Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.
Debian
CVE-2010-0464: roundcube - Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS pref...
vendor_debian·2010·CVSS 5.0
CVE-2010-0464 [MEDIUM] CVE-2010-0464: roundcube - Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS pref...
Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.
Scope: local
bookworm: resolved (fixed in 0.3.1-3)
bullseye: resolved (fixed in 0.3.1-3)
forky: resolved (fixed in 0.3.1-3)
sid: resolved (fixed in 0.3.1-3)
trixie: resolved (fixed in 0.3.1-3)
No detection rules found.
No public exploits indexed.
Bugzilla
Fix for CVE-2010-0464 in Roundcube 0.1.1 in EPEL5
bugzilla·2012-11-14·CVSS 7.8
CVE-2010-0464 [HIGH] Fix for CVE-2010-0464 in Roundcube 0.1.1 in EPEL5
Fix for CVE-2010-0464 in Roundcube 0.1.1 in EPEL5
EPEL5 currently distributes roundcubemail-0.1.1-6. According to the RPM changelog several CVE security vulnerabilities have been fixed, but I did not find a mention of CVE-2010-0464 being fixed: http://www.cvedetails.com/cve/CVE-2008-5620/
According to http://www.cvedetails.com/vulnerability-list/vendor_id-8905/product_id-15709/version_id-66544/Roundcube-Roundcube-Webmail-0.1.1.html Roundcube 0.1.1 is vulnerable.
Fixes for the roundcubemail package in Fedora 11 and 12 seem to have gone out though: https://bugzilla.redhat.com/show_bug.cgi?id=560142
Discussion:
I'll look into upgrading to a higher version using the php53 stack.
---
This seems not to be immediately feasible, a patch might be faster. Do you know if a patch for this again
Bugzilla
CVE-2010-0464 roundcubemail: privacy compromise via DNS prefetching in web mail
bugzilla·2010-01-29·CVSS 5.0
CVE-2010-0464 [MEDIUM] CVE-2010-0464 roundcubemail: privacy compromise via DNS prefetching in web mail
CVE-2010-0464 roundcubemail: privacy compromise via DNS prefetching in web mail
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0464 to
the following vulnerability:
Name: CVE-2010-0464
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0464
Assigned: 20100129
Reference: MISC: https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail
Reference: CONFIRM: http://trac.roundcube.net/ticket/1486449
Roundcube 0.3.1 and earlier does not request that the web browser
avoid DNS prefetching of domain names contained in e-mail messages,
which makes it easier for remote attackers to determine the network
location of the webmail user by logging DNS requests.
Discussion:
roundcubemail-0.3.1-2.fc12 has been pushed to the Fedora 12 stable repository. If
http://trac.roundcube.net/ticket/1486449http://www.mandriva.com/security/advisories?name=MDVSA-2010:048https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmailhttp://trac.roundcube.net/ticket/1486449http://www.mandriva.com/security/advisories?name=MDVSA-2010:048https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail
2010-01-29
Published