CVE-2012-1253
published 2012-06-04CVE-2012-1253: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is used, allows remote attackers to inject arbitrary web…
PriorityP49low2.6CVSS 2.0
AVNACHAuNCNIPAN
EPSS
1.81%
75.9th percentile
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via vectors involving an embedded image attachment.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 0.7-1 (bookworm) | roundcube 0.7-1 (bookworm) |
| roundcube | webmail | <= 0.6 | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
osv2.6LOW
vendor_redhat4.6MEDIUM
vendor_debian2.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3mvr-3jc2-mgf4: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0
ghsa_unreviewed·2022-05-17
CVE-2012-1253 [LOW] CWE-79 GHSA-3mvr-3jc2-mgf4: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via vectors involving an embedded image attachment.
OSV
CVE-2012-1253: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0
osv·2012-06-04·CVSS 2.6
CVE-2012-1253 [LOW] CVE-2012-1253: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via vectors involving an embedded image attachment.
Debian
CVE-2012-1253: roundcube - Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when I...
vendor_debian·2012·CVSS 2.6
CVE-2012-1253 [LOW] CVE-2012-1253: roundcube - Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when I...
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.7, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via vectors involving an embedded image attachment.
Scope: local
bookworm: resolved (fixed in 0.7-1)
bullseye: resolved (fixed in 0.7-1)
forky: resolved (fixed in 0.7-1)
sid: resolved (fixed in 0.7-1)
trixie: resolved (fixed in 0.7-1)
Red Hat
kernel: no access restrictions of /proc/pid/* after setuid program exec
vendor_redhat·2011-02-07·CVSS 4.6
CVE-2011-1020 [MEDIUM] kernel: no access restrictions of /proc/pid/* after setuid program exec
kernel: no access restrictions of /proc/pid/* after setuid program exec
The proc filesystem implementation in the Linux kernel 2.6.37 and earlier does not restrict access to the /proc directory tree of a process after this process performs an exec of a setuid program, which allows local users to obtain sensitive information or cause a denial of service via open, lseek, read, and write system calls.
Statement: Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for this issue is not currently planned to be included in the future updates.
This has been addressed in Red Hat Enterprise Linux 5, 6 and Red Hat Enterprise MRG via RHSA-2012:0007, RHSA-2011:1530 and RHSA-2011:1253 respectively
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-1253 roundcubemail: XSS flaw fixed in 0.7
bugzilla·2012-06-04·CVSS 2.6
CVE-2012-1253 [LOW] CVE-2012-1253 roundcubemail: XSS flaw fixed in 0.7
CVE-2012-1253 roundcubemail: XSS flaw fixed in 0.7
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-1253 to
the following vulnerability:
Name: CVE-2012-1253
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1253
Assigned: 20120221
Reference: http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.7/
Reference: JVN:JVN#21422837
Reference: http://jvn.jp/en/jp/JVN21422837/index.html
Reference: JVNDB:JVNDB-2012-000050
Reference: http://jvndb.jvn.jp/jvndb/JVNDB-2012-000050
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before
0.7, when Internet Explorer is used, allows remote attackers to inject
arbitrary web script or HTML via vectors involving an embedded image
attachment.
Discussion:
Created roundcubemail tracking bugs for this is
Bugzilla
CVE-2012-1253 roundcubemail: XSS flaw fixed in 0.7 [epel-all]
bugzilla·2012-06-04·CVSS 2.6
CVE-2012-1253 [LOW] CVE-2012-1253 roundcubemail: XSS flaw fixed in 0.7 [epel-all]
CVE-2012-1253 roundcubemail: XSS flaw fixed in 0.7 [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=828556
Bugzilla
CVE-2012-1253 roundcubemail: XSS flaw fixed in 0.7 [fedora-16]
bugzilla·2012-06-04·CVSS 2.6
CVE-2012-1253 [LOW] CVE-2012-1253 roundcubemail: XSS flaw fixed in 0.7 [fedora-16]
CVE-2012-1253 roundcubemail: XSS flaw fixed in 0.7 [fedora-16]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=828556
http://jvn.jp/en/jp/JVN21422837/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2012-000050http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.7/http://jvn.jp/en/jp/JVN21422837/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2012-000050http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.7/
2012-06-04
Published