CVE-2015-1433 — Cross-site Scripting in Webmail

CWE-79 — Cross-site Scripting8 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.7%

top 28.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Roundcube Webmail Fedoraproject Fedora

Timeline

PublishedFeb 3

Latest updateMay 14

Description

program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute in an email.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDroundcube/webmail1.0.4

Also affects: Fedora 21

Patches

Patch: roundcube.net ↗Patch: roundcube.net ↗

🔴Vulnerability Details

GHSA

GHSA-92r9-jpwj-c2mw: program/lib/Roundcube/rcube_washtml↗2022-05-14

▶

CVEList

CVE-2015-1433: program/lib/Roundcube/rcube_washtml↗2015-02-03

▶

OSV

CVE-2015-1433: program/lib/Roundcube/rcube_washtml↗2015-02-03

▶

📋Vendor Advisories

Debian

CVE-2015-1433: roundcube - program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not prope...↗2015

▶

💬Community

Bugzilla

CVE-2015-1433 roundcubemail: crooss-site scripting in style attribute handling↗2015-02-02

▶

Bugzilla

CVE-2015-1433 roundcubemail: crooss-site scripting in style attribute handling [epel-all]↗2015-02-02

▶

Bugzilla

CVE-2015-1433 roundcubemail: crooss-site scripting in style attribute handling [fedora-all]↗2015-02-02

▶