CVE-2018-19206
published 2018-11-12CVE-2018-19206: steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of , as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
PriorityP339medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
60.16%
99.0th percentile
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of , as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | roundcube | < roundcube 1.3.8+dfsg.1-1 (bookworm) | roundcube 1.3.8+dfsg.1-1 (bookworm) |
| roundcube | roundcube_webmail | >= 0 < 1.2~beta+dfsg.1-0ubuntu1+esm7 | 1.2~beta+dfsg.1-0ubuntu1+esm7 |
| roundcube | roundcube_webmail | >= 0 < 1.3.6+dfsg.1-1ubuntu0.1~esm7 | 1.3.6+dfsg.1-1ubuntu0.1~esm7 |
| roundcube | webmail | < 1.3.8 | 1.3.8 |
Detection & IOCsextracted from sources · hover to see the quote
pathsteps/mail/func.inc
- →Look for XSS payloads using an onload attribute within a BODY element delivered inside an HTML email attachment processed by Roundcube. ↗
- →Vulnerable code path is in steps/mail/func.inc; inspect sanitization logic in that file for insufficient filtering of HTML event handler attributes in attachments. ↗
- ·Vulnerability is scoped as local per Debian Security Tracker, meaning exploitation requires the attacker to deliver a crafted HTML attachment to a victim who opens it in Roundcube webmail. ↗
- ·All Roundcube installations prior to version 1.3.8 are affected; patched in Debian package 1.3.8+dfsg.1-1 across all tracked suites. ↗
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_ubuntu6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Roundcube Webmail vulnerabilities
vendor_ubuntu·2026-03-30·CVSS 6.1
CVE-2018-19205 [MEDIUM] Roundcube Webmail vulnerabilities
Title: Roundcube Webmail vulnerabilities
Summary: Several security issues were fixed in Roundcube Webmail.
It was discovered that Roundcube Webmail did not properly sanitize
certain HTML elements within the e-mail body. An attacker could possibly
use this issue to cause a cross-site scripting attack. This issue was only
addressed in Ubuntu 16.04 LTS. (CVE-2016-4068, CVE-2016-4069)
It was discovered that Roundcube Webmail did not properly handle certain
configuration parameters. An attacker could possibly use this issue to
execute arbitrary code. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2016-9920)
It was discovered that Roundcube Webmail did not properly sanitize CSS styles
within SVG documents. An attacker could possibly use this issue to cause
a cross-site scripting att
Debian
CVE-2018-19206: roundcube - steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><s...
vendor_debian·2018·CVSS 6.1
CVE-2018-19206 [MEDIUM] CVE-2018-19206: roundcube - steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><s...
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of , as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
Scope: local
bookworm: resolved (fixed in 1.3.8+dfsg.1-1)
bullseye: resolved (fixed in 1.3.8+dfsg.1-1)
forky: resolved (fixed in 1.3.8+dfsg.1-1)
sid: resolved (fixed in 1.3.8+dfsg.1-1)
trixie: resolved (fixed in 1.3.8+dfsg.1-1)
OSV
roundcube vulnerabilities
osv·2026-03-30·CVSS 6.1
CVE-2016-4068 [MEDIUM] roundcube vulnerabilities
roundcube vulnerabilities
It was discovered that Roundcube Webmail did not properly sanitize
certain HTML elements within the e-mail body. An attacker could possibly
use this issue to cause a cross-site scripting attack. This issue was only
addressed in Ubuntu 16.04 LTS. (CVE-2016-4068, CVE-2016-4069)
It was discovered that Roundcube Webmail did not properly handle certain
configuration parameters. An attacker could possibly use this issue to
execute arbitrary code. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2016-9920)
It was discovered that Roundcube Webmail did not properly sanitize CSS styles
within SVG documents. An attacker could possibly use this issue to cause
a cross-site scripting attack. This issue was only addressed in Ubuntu 16.04 LTS.
(CVE-2017-6820)
It was di
GHSA
GHSA-p9mh-3gv4-mcg7: steps/mail/func
ghsa_unreviewed·2022-05-13
CVE-2018-19206 [MEDIUM] CWE-79 GHSA-p9mh-3gv4-mcg7: steps/mail/func
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of , as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
OSV
CVE-2018-19206: steps/mail/func
osv·2018-11-12·CVSS 6.1
CVE-2018-19206 [MEDIUM] CVE-2018-19206: steps/mail/func
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of , as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/roundcube/roundcubemail/releases/tag/1.3.8https://roundcube.net/news/2018/10/26/update-1.3.8-releasedhttps://www.debian.org/security/2018/dsa-4344https://github.com/roundcube/roundcubemail/releases/tag/1.3.8https://roundcube.net/news/2018/10/26/update-1.3.8-releasedhttps://www.debian.org/security/2018/dsa-4344
2018-11-12
Published