CVE-2013-5646
published 2013-08-29CVE-2013-5646: Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated users to inject arbitrary web script or HTML via the Name…
PriorityP412low3.5CVSS 2.0
AVNACMAuSCNIPAN
EPSS
1.15%
63.0th percentile
Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated users to inject arbitrary web script or HTML via the Name field of an addressbook group.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | — | — |
| roundcube | webmail | — | — |
CVSS provenance
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vendor_debian3.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2013-5646: roundcube - Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows rem...
vendor_debian·2013·CVSS 3.5
CVE-2013-5646 [LOW] CVE-2013-5646: roundcube - Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows rem...
Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated users to inject arbitrary web script or HTML via the Name field of an addressbook group.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-rjrq-995m-qvx8: Cross-site scripting (XSS) vulnerability in Roundcube webmail 1
ghsa_unreviewed·2022-05-17
CVE-2013-5646 [LOW] CWE-79 GHSA-rjrq-995m-qvx8: Cross-site scripting (XSS) vulnerability in Roundcube webmail 1
Cross-site scripting (XSS) vulnerability in Roundcube webmail 1.0-git allows remote authenticated users to inject arbitrary web script or HTML via the Name field of an addressbook group.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-5645 CVE-2013-5646 roundcubemail: two XSS flaws fixed in 0.9.3
bugzilla·2013-08-23·CVSS 4.3
CVE-2013-5645 [MEDIUM] CVE-2013-5645 CVE-2013-5646 roundcubemail: two XSS flaws fixed in 0.9.3
CVE-2013-5645 CVE-2013-5646 roundcubemail: two XSS flaws fixed in 0.9.3
Two XSS flaws were fixed in roundcube 0.9.3 [1]:
* Fix XSS vulnerability when saving HTML signatures [2],[3]
* Fix XSS vulnerability when editing a message "as new" or draft [2],[4]
[1] http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
[2] http://trac.roundcube.net/ticket/1489251
[3] http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
[4] http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
Discussion:
Created roundcubemail tracking bugs for this issue:
Affects: fedora-all [bug 1000511]
Affects: epel-6 [bug 1000512]
---
These were assigned CVEs as follows:
http://www.openwall.com/lists/oss-security/2013/08/28/4
All aspects of CVE-2013-5645 we
Bugzilla
CVE-2012-5646 openshift-origin-node-util: restorer.php preg_match shell code injection
bugzilla·2012-12-18·CVSS 7.5
CVE-2012-5646 [HIGH] CVE-2012-5646 openshift-origin-node-util: restorer.php preg_match shell code injection
CVE-2012-5646 openshift-origin-node-util: restorer.php preg_match shell code injection
Michael Scherer ([email protected]) reports:
the file https://github.com/openshift/origin-server/blob/master/node-util/www/html/restorer.php
used to restore application after being idle fails to safely handle user
supplied data that is later used on the command line.
Discussion:
Created attachment 665754
CVE-2012-5646-restorer.php.patch
---
Acknowledgements:
This issue was discovered by Michael Scherer of the Red Hat Regional IT team.
---
This issue has been addressed in following products:
RHEL 6 Version of OpenShift Enterprise
Via RHSA-2013:0148 https://rhn.redhat.com/errata/RHSA-2013-0148.html
---
This issue has been addressed in OpenShift Online.
2013-08-29
Published