CVE-2019-15237
published 2019-08-20CVE-2019-15237: Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
PriorityP430high7.4CVSS 3.1
AVNACLPRNUIRSCCNIHAN
EPSS
0.93%
56.0th percentile
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | roundcube | < roundcube 1.5.0+dfsg.1-1 (bookworm) | roundcube 1.5.0+dfsg.1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| roundcube | webmail | <= 1.3.9 | — |
| ubuntu | roundcube | — | — |
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv7.4HIGH
vendor_debian7.4LOW
vendor_ubuntu7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j43j-vfwj-cc4j: Roundcube Webmail through 1
ghsa_unreviewed·2022-05-24
CVE-2019-15237 [HIGH] GHSA-j43j-vfwj-cc4j: Roundcube Webmail through 1
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
OSV
CVE-2019-15237: Roundcube Webmail through 1
osv·2019-08-20·CVSS 7.4
CVE-2019-15237 [HIGH] CVE-2019-15237: Roundcube Webmail through 1
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
Ubuntu
Roundcube Webmail vulnerabilities
vendor_ubuntu·2026-04-29·CVSS 7.4
CVE-2024-42010 [HIGH] Roundcube Webmail vulnerabilities
Title: Roundcube Webmail vulnerabilities
Summary: Several security issues were fixed in Roundcube Webmail.
It was discovered that Roundcube Webmail mishandled Punycode xn-- domain names.
An attacker could possibly use this issue to cause a homograph attack. (CVE-2019-15237)
It was discovered that Roundcube Webmail did not properly sanitize certain
attributes when handling CSS within HTML messages and certain SVG attributes.
An attacker could possibly use this issue to cause a cross-site scripting attack.
(CVE-2024-38356, CVE-2024-38357)
It was discovered that Roundcube Webmail did not properly sanitize certain HTML
attributes when rendering e-mail messages. An attacker could possibly use this
issue to cause a cross-site scripting attack. (CVE-2024-42008)
It was discovered that Roundcu
Debian
CVE-2019-15237: roundcube - Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading t...
vendor_debian·2019·CVSS 7.4
CVE-2019-15237 [HIGH] CVE-2019-15237: roundcube - Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading t...
Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
Scope: local
bookworm: resolved (fixed in 1.5.0+dfsg.1-1)
bullseye: open
forky: resolved (fixed in 1.5.0+dfsg.1-1)
sid: resolved (fixed in 1.5.0+dfsg.1-1)
trixie: resolved (fixed in 1.5.0+dfsg.1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-15237 roundcube: mishandling of Punycode xn-- domain name leads to homograph attack
bugzilla·2019-08-30·CVSS 7.4
CVE-2019-15237 [HIGH] CVE-2019-15237 roundcube: mishandling of Punycode xn-- domain name leads to homograph attack
CVE-2019-15237 roundcube: mishandling of Punycode xn-- domain name leads to homograph attack
A vulnerability was found in Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
Reference:
https://github.com/roundcube/roundcubemail/issues/6891
Discussion:
Created roundcubemail tracking bugs for this issue:
Affects: epel-all [bug 1747323]
Affects: fedora-all [bug 1747322]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Bugzilla
CVE-2019-15237 roundcubemail: roundcube: mishandling of Punycode xn-- domain name leads to homograph attack [epel-all]
bugzilla·2019-08-30·CVSS 7.4
CVE-2019-15237 [HIGH] CVE-2019-15237 roundcubemail: roundcube: mishandling of Punycode xn-- domain name leads to homograph attack [epel-all]
CVE-2019-15237 roundcubemail: roundcube: mishandling of Punycode xn-- domain name leads to homograph attack [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this is
Bugzilla
CVE-2019-15237 roundcubemail: roundcube: mishandling of Punycode xn-- domain name leads to homograph attack [fedora-all]
bugzilla·2019-08-30·CVSS 7.4
CVE-2019-15237 [HIGH] CVE-2019-15237 roundcubemail: roundcube: mishandling of Punycode xn-- domain name leads to homograph attack [fedora-all]
CVE-2019-15237 roundcubemail: roundcube: mishandling of Punycode xn-- domain name leads to homograph attack [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: thi
https://github.com/roundcube/roundcubemail/issues/6891https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5/https://github.com/roundcube/roundcubemail/issues/6891https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5/
2019-08-20
Published