CVE-2018-19206Cross-site Scripting in Webmail

CWE-79Cross-site Scripting7 documents6 sources
Severity
6.1MEDIUMNVD
EPSS
2.4%
top 15.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Roundcube WebmailRoundcube WebmailDebian Linux
Timeline
PublishedNov 12
Latest updateMar 30

Description

steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of , as demonstrated by an onload attribute in a BODY element, within an HTML attachment.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDroundcube/webmail< 1.3.8
Ubunturoundcube/roundcube_webmail< 1.2~beta+dfsg.1-0ubuntu1+esm7+1

Also affects: Debian Linux 9.0

🔴Vulnerability Details

4
OSV
roundcube vulnerabilities2026-03-30
GHSA
GHSA-p9mh-3gv4-mcg7: steps/mail/func2022-05-13
OSV
CVE-2018-19206: steps/mail/func2018-11-12
CVEList
CVE-2018-19206: steps/mail/func2018-11-12

📋Vendor Advisories

2
Ubuntu
Roundcube Webmail vulnerabilities2026-03-30
Debian
CVE-2018-19206: roundcube - steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><s...2018
CVE-2018-19206 — Cross-site Scripting in Webmail | cvebase