CVE-2019-10740Cleartext Transmission of Sensitive Info in Webmail

CWE-319Cleartext Transmission of Sensitive Info9 documents7 sources
Severity
4.3MEDIUMNVD
OSV6.1
EPSS
0.2%
top 61.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Roundcube WebmailRoundcube WebmailFedoraproject Fedora+2 more
Timeline
PublishedApr 7
Latest updateMar 30

Description

In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDroundcube/webmail< 1.3.10
Ubunturoundcube/roundcube_webmail< 1.2~beta+dfsg.1-0ubuntu1+esm7+1
NVDopensuse/leap15.1, 15.2+1

Also affects: Fedora 29

🔴Vulnerability Details

4
OSV
roundcube vulnerabilities2026-03-30
GHSA
GHSA-8x8m-cq38-629v: In Roundcube Webmail before 12022-05-04
CVEList
CVE-2019-10740: In Roundcube Webmail before 12019-04-07
OSV
CVE-2019-10740: In Roundcube Webmail before 12019-04-07

📋Vendor Advisories

2
Ubuntu
Roundcube Webmail vulnerabilities2026-03-30
Debian
CVE-2019-10740: roundcube - In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP e...2019

💬Community

2
Bugzilla
CVE-2019-10740 roundcubemail: information disclosure of encrypted message [epel-all]2019-04-15
Bugzilla
CVE-2019-10740 roundcubemail: information disclosure of encrypted message2019-04-15
CVE-2019-10740 — Roundcube Webmail vulnerability | cvebase