CVE-2017-6820
published 2017-03-12CVE-2017-6820: rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets…
PriorityP423medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.29%
66.7th percentile
rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.2.3+dfsg.1-3 (bookworm) | roundcube 1.2.3+dfsg.1-3 (bookworm) |
| roundcube | roundcube_webmail | >= 0 < 1.2~beta+dfsg.1-0ubuntu1+esm7 | 1.2~beta+dfsg.1-0ubuntu1+esm7 |
| roundcube | roundcube_webmail | >= 0 < 1.3.6+dfsg.1-1ubuntu0.1~esm7 | 1.3.6+dfsg.1-1ubuntu0.1~esm7 |
| roundcube | webmail | <= 1.1.7 | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
| roundcube | webmail | — | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Roundcube Webmail vulnerabilities
vendor_ubuntu·2026-03-30·CVSS 6.1
CVE-2018-19205 [MEDIUM] Roundcube Webmail vulnerabilities
Title: Roundcube Webmail vulnerabilities
Summary: Several security issues were fixed in Roundcube Webmail.
It was discovered that Roundcube Webmail did not properly sanitize
certain HTML elements within the e-mail body. An attacker could possibly
use this issue to cause a cross-site scripting attack. This issue was only
addressed in Ubuntu 16.04 LTS. (CVE-2016-4068, CVE-2016-4069)
It was discovered that Roundcube Webmail did not properly handle certain
configuration parameters. An attacker could possibly use this issue to
execute arbitrary code. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2016-9920)
It was discovered that Roundcube Webmail did not properly sanitize CSS styles
within SVG documents. An attacker could possibly use this issue to cause
a cross-site scripting att
Debian
CVE-2017-6820: roundcube - rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible ...
vendor_debian·2017·CVSS 6.1
CVE-2017-6820 [MEDIUM] CVE-2017-6820: roundcube - rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible ...
rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.
Scope: local
bookworm: resolved (fixed in 1.2.3+dfsg.1-3)
bullseye: resolved (fixed in 1.2.3+dfsg.1-3)
forky: resolved (fixed in 1.2.3+dfsg.1-3)
sid: resolved (fixed in 1.2.3+dfsg.1-3)
trixie: resolved (fixed in 1.2.3+dfsg.1-3)
OSV
roundcube vulnerabilities
osv·2026-03-30·CVSS 6.1
CVE-2016-4068 [MEDIUM] roundcube vulnerabilities
roundcube vulnerabilities
It was discovered that Roundcube Webmail did not properly sanitize
certain HTML elements within the e-mail body. An attacker could possibly
use this issue to cause a cross-site scripting attack. This issue was only
addressed in Ubuntu 16.04 LTS. (CVE-2016-4068, CVE-2016-4069)
It was discovered that Roundcube Webmail did not properly handle certain
configuration parameters. An attacker could possibly use this issue to
execute arbitrary code. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2016-9920)
It was discovered that Roundcube Webmail did not properly sanitize CSS styles
within SVG documents. An attacker could possibly use this issue to cause
a cross-site scripting attack. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2017-6820)
It was di
GHSA
GHSA-76mh-6w46-rwcg: rcube_utils
ghsa_unreviewed·2022-05-14
CVE-2017-6820 [MEDIUM] CWE-79 GHSA-76mh-6w46-rwcg: rcube_utils
rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.
OSV
CVE-2017-6820: rcube_utils
osv·2017-03-12·CVSS 6.1
CVE-2017-6820 [MEDIUM] CVE-2017-6820: rcube_utils
rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/96817https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305https://github.com/roundcube/roundcubemail/releases/tag/1.1.8https://github.com/roundcube/roundcubemail/releases/tag/1.2.4https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-releasedhttp://www.securityfocus.com/bid/96817https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305https://github.com/roundcube/roundcubemail/releases/tag/1.1.8https://github.com/roundcube/roundcubemail/releases/tag/1.2.4https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released
2017-03-12
Published