CVE-2012-6121
published 2013-02-24CVE-2012-6121: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers to inject arbitrary web script or HTML via a (1) data:text…
PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
2.05%
78.8th percentile
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers to inject arbitrary web script or HTML via a (1) data:text or (2) vbscript link.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | — | — |
| roundcube | webmail | <= 0.8.4 | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2012-6121: roundcube - Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allow...
vendor_debian·2012·CVSS 4.3
CVE-2012-6121 [MEDIUM] CVE-2012-6121: roundcube - Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allow...
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers to inject arbitrary web script or HTML via a (1) data:text or (2) vbscript link.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-m6c6-6vhq-xhvp: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0
ghsa_unreviewed·2022-05-17
CVE-2012-6121 [MEDIUM] CWE-79 GHSA-m6c6-6vhq-xhvp: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers to inject arbitrary web script or HTML via a (1) data:text or (2) vbscript link.
OSV
CVE-2012-6121: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0
osv·2013-02-24·CVSS 4.3
CVE-2012-6121 [MEDIUM] CVE-2012-6121: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 0.8.5 allows remote attackers to inject arbitrary web script or HTML via a (1) data:text or (2) vbscript link.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-6121 roundcubemail: Cross-site scripting (XSS) in vbscript: and data:text URL handling
bugzilla·2013-02-08·CVSS 4.3
CVE-2012-6121 [MEDIUM] CVE-2012-6121 roundcubemail: Cross-site scripting (XSS) in vbscript: and data:text URL handling
CVE-2012-6121 roundcubemail: Cross-site scripting (XSS) in vbscript: and data:text URL handling
A cross-site scripting (XSS) flaws were round in the way Round Cube Webmail, a browser-based multilingual IMAP client, performed sanitization of 'data' and 'vbscript' URLs. A remote attacker could provide a specially-crafted URL that, when opened would lead to arbitrary JavaScript, VisualBasic script or HTML code execution in the context of Round Cube Webmail's user session.
Upstream ticket:
[1] http://trac.roundcube.net/ticket/1488850
Further details:
[2] http://trac.roundcube.net/attachment/ticket/1488850/RoundCube2XSS.pdf
Upstream patch:
[3] https://github.com/roundcube/roundcubemail/commit/74cd0a9b62f11bc07c5a1d3ba0098b54883eb0ba
References:
[4] http://sourceforge.net/news/?group_id=139
Bugzilla
CVE-2012-6121 roundcubemail: Cross-site scripting (XSS) in vbscript: and data:text URL handling [epel-6]
bugzilla·2013-02-08·CVSS 4.3
CVE-2012-6121 [MEDIUM] CVE-2012-6121 roundcubemail: Cross-site scripting (XSS) in vbscript: and data:text URL handling [epel-6]
CVE-2012-6121 roundcubemail: Cross-site scripting (XSS) in vbscript: and data:text URL handling [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when availab
Bugzilla
CVE-2012-6121 roundcubemail: Cross-site scripting (XSS) in vbscript: and data:text URL handling [fedora-all]
bugzilla·2013-02-08·CVSS 4.3
CVE-2012-6121 [MEDIUM] CVE-2012-6121 roundcubemail: Cross-site scripting (XSS) in vbscript: and data:text URL handling [fedora-all]
CVE-2012-6121 roundcubemail: Cross-site scripting (XSS) in vbscript: and data:text URL handling [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when availabl
http://lists.opensuse.org/opensuse-updates/2013-02/msg00051.htmlhttp://lists.opensuse.org/opensuse-updates/2013-09/msg00018.htmlhttp://sourceforge.net/news/?group_id=139281&id=310213http://trac.roundcube.net/ticket/1488850http://www.openwall.com/lists/oss-security/2013/02/08/1http://www.securityfocus.com/bid/57849https://github.com/roundcube/roundcubemail/commit/74cd0a9b62f11bc07c5a1d3ba0098b54883eb0bahttp://lists.opensuse.org/opensuse-updates/2013-02/msg00051.htmlhttp://lists.opensuse.org/opensuse-updates/2013-09/msg00018.htmlhttp://sourceforge.net/news/?group_id=139281&id=310213http://trac.roundcube.net/ticket/1488850http://www.openwall.com/lists/oss-security/2013/02/08/1http://www.securityfocus.com/bid/57849https://github.com/roundcube/roundcubemail/commit/74cd0a9b62f11bc07c5a1d3ba0098b54883eb0ba
2013-02-24
Published