⚠ Actively exploited

Added to CISA KEV on 2024-06-26. Federal agencies required to patch by 2024-07-17. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2020-13965 — Cross-site Scripting in Webmail

CWE-79 — Cross-site Scripting CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)14 documents11 sources

Severity

6.1MEDIUMNVD

EPSS

71.8%

top 1.26%

CISA KEV

KEV

Added 2024-06-26

Due 2024-07-17

Exploit

Exploited in wild

Active exploitation observed

Affected products

Roundcube Webmail Debian Linux Fedoraproject Fedora

Timeline

PublishedJun 9

KEV addedJun 26

KEV dueJul 17

Latest updateFeb 5

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDroundcube/webmail1.4.0 — 1.4.5+1

Also affects: Debian Linux 10.0, 9.0, Fedora 31, 32

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

roundcube vulnerabilities↗2022-08-08

▶

GHSA

GHSA-44qp-5pm8-6j8p: An issue was discovered in Roundcube Webmail before 1↗2022-05-24

▶

OSV

CVE-2020-13965: An issue was discovered in Roundcube Webmail before 1↗2020-06-09

▶

CVEList

CVE-2020-13965: An issue was discovered in Roundcube Webmail before 1↗2020-06-09

▶

VulnCheck

Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability↗2020

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Roundcube XSS via Malicious XML Attachment (CVE-2020-13965)↗2025-02-05

▶

📋Vendor Advisories

CISA

Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability↗2024-06-26

▶

Ubuntu

Roundcube Webmail vulnerabilities↗2022-08-08

▶

Red Hat

roundcubemail: XSS via a malicious XML attachment↗2020-06-09

▶

Debian

CVE-2020-13965: roundcube - An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4....↗2020

▶

💬Community

Bugzilla

CVE-2020-13965 roundcubemail: XSS via a malicious XML attachment↗2020-06-18

▶

Bugzilla

CVE-2020-13965 roundcubemail: XSS via a malicious XML attachment [fedora-all]↗2020-06-18

▶

Bugzilla

CVE-2020-13965 roundcubemail: XSS via a malicious XML attachment [epel-all]↗2020-06-18

▶