CVE-2012-3507
published 2012-08-25CVE-2012-3507: Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry skin, allows remote attackers…
PriorityP412low2.6CVSS 2.0
AVNACHAuNCNIPAN
EPSS
2.13%
79.6th percentile
Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry skin, allows remote attackers to inject arbitrary web script or HTML via the email message subject.
Affected
21 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | — | — |
| roundcube | webmail | <= 0.7.3 | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
vendor_debian2.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2012-3507: roundcube - Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in Round...
vendor_debian·2012·CVSS 2.6
CVE-2012-3507 [LOW] CVE-2012-3507: roundcube - Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in Round...
Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry skin, allows remote attackers to inject arbitrary web script or HTML via the email message subject.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-4x5w-wj77-jppr: Cross-site scripting (XSS) vulnerability in program/steps/mail/func
ghsa_unreviewed·2022-05-17
CVE-2012-3507 [LOW] CWE-79 GHSA-4x5w-wj77-jppr: Cross-site scripting (XSS) vulnerability in program/steps/mail/func
Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry skin, allows remote attackers to inject arbitrary web script or HTML via the email message subject.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-3507 roundcubemail: XSS in program/steps/mail/func.inc fixed in 0.8.0
bugzilla·2012-08-27·CVSS 2.6
CVE-2012-3507 [LOW] CVE-2012-3507 roundcubemail: XSS in program/steps/mail/func.inc fixed in 0.8.0
CVE-2012-3507 roundcubemail: XSS in program/steps/mail/func.inc fixed in 0.8.0
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-3507 to
the following vulnerability:
Name: CVE-2012-3507
Reference: MLIST:[oss-security] 20120820 CVE-request: Roundcube XSS issues
Reference: URL:http://www.openwall.com/lists/oss-security/2012/08/20/2
Reference: MLIST:[oss-security] 20120820 Re: CVE-request: Roundcube XSS issues
Reference: URL:http://www.openwall.com/lists/oss-security/2012/08/20/9
Reference: MLIST:[oss-security] 20120820 Re: CVE-request: Roundcube XSS issues
Reference: URL:http://www.openwall.com/lists/oss-security/2012/08/20/3
Reference: MISC:http://www.securelist.com/en/advisories/50212
Reference: CONFIRM:http://sourceforge.net/projects/roundcubemail/files/roundcubemail/
Bugzilla
CVE-2012-3507 roundcubemail: XSS in program/steps/mail/func.inc fixed in 0.8.0 [epel-all]
bugzilla·2012-08-27·CVSS 2.6
CVE-2012-3507 [LOW] CVE-2012-3507 roundcubemail: XSS in program/steps/mail/func.inc fixed in 0.8.0 [epel-all]
CVE-2012-3507 roundcubemail: XSS in program/steps/mail/func.inc fixed in 0.8.0 [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?
Bugzilla
CVE-2012-3507 roundcubemail: XSS in program/steps/mail/func.inc fixed in 0.8.0 [fedora-all]
bugzilla·2012-08-27·CVSS 2.6
CVE-2012-3507 [LOW] CVE-2012-3507 roundcubemail: XSS in program/steps/mail/func.inc fixed in 0.8.0 [fedora-all]
CVE-2012-3507 roundcubemail: XSS in program/steps/mail/func.inc fixed in 0.8.0 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new
Bugzilla
CVE-2012-3508 roundcubemail: XSS by processing signatures in HTML mode
bugzilla·2012-08-20·CVSS 4.3
CVE-2012-3508 [MEDIUM] CVE-2012-3508 roundcubemail: XSS by processing signatures in HTML mode
CVE-2012-3508 roundcubemail: XSS by processing signatures in HTML mode
A cross-site scripting (XSS) flaw was found in the way RoundCube Webmail, a browser-based multilingual IMAP client, performed sanitization of signatures content in the HTML email. A remote attacker could send an email message with specially-crafted signature value that, when processed in roundcubemail would lead to arbitrary HTML or web script execution.
Upstream ticket:
[1] http://trac.roundcube.net/ticket/1488613
Relevant patch:
[2] https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32
References:
[3] http://trac.roundcube.net/wiki/Changelog
[4] http://www.openwall.com/lists/oss-security/2012/08/20/2
Note: The "Larry skin Subject header XSS flaw:
http://trac.roundcube.net/tick
http://secunia.com/advisories/50212http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.8.0/http://trac.roundcube.net/ticket/1488519http://www.openwall.com/lists/oss-security/2012/08/20/2http://www.openwall.com/lists/oss-security/2012/08/20/3http://www.openwall.com/lists/oss-security/2012/08/20/9http://www.securelist.com/en/advisories/50212http://secunia.com/advisories/50212http://sourceforge.net/projects/roundcubemail/files/roundcubemail/0.8.0/http://trac.roundcube.net/ticket/1488519http://www.openwall.com/lists/oss-security/2012/08/20/2http://www.openwall.com/lists/oss-security/2012/08/20/3http://www.openwall.com/lists/oss-security/2012/08/20/9http://www.securelist.com/en/advisories/50212
2012-08-25
Published