cbcvebase.
CVE-2020-13965
published 2020-06-09

CVE-2020-13965: An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the…

PriorityP182medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-07-17
Exploited in the wild
EPSS
76.60%
99.5th percentile
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.

Affected

7 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianroundcube< roundcube 1.4.5+dfsg.1-1 (bookworm)roundcube 1.4.5+dfsg.1-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
roundcubewebmail< 1.3.121.3.12
roundcubewebmail>= 1.4.0 < 1.4.51.4.5

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3
snort
alert smtp any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Roundcube XSS via Malicious XML Attachment (CVE-2020-13965)"; flow:established,to_server; content:"Content-Type|3a 20|text/xml|3b 20|name|3d 22|"; content:".xml|22|"; within:50; content:"Content-Disposition|3a 20|inline|3b 20|filename|3d 22|"; content:".xml|22|"; within:50; content:"|3c|"; distance:0; content:"|3a|script|20|xmlns|3a|"; within:50; fast_pattern; content:"|2f|xhtml|22 3e|"; within:150; content:"|3a|script|3e|"; within:400; reference:url,github.com/mbadanoiu/CVE-2020-13965; reference:cve,2020-13965; classtype:web-application-attack; sid:2059898; rev:1; metadata:affected_product Roundcube, attack_target Web_Server, tls_state plaintext, created_at 2025_02_05, cve CVE_2020_13965, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit is delivered via SMTP as an email attachment with Content-Type: text/xml and Content-Disposition: inline — monitor inbound SMTP traffic for XML attachments served inline, as the text/xml MIME type is permitted for preview in vulnerable Roundcube versions.
  • The Snort/Suricata rule (ET sid:2059898) keys on the byte sequence |3a|script|20|xmlns|3a| (`:script xmlns:`) within 50 bytes of the XML content header, followed by |2f|xhtml|22 3e| (`/xhtml">`) within 150 bytes and |3a|script|3e| (`:script>`) within 400 bytes — these patterns identify the XHTML script namespace trick used to smuggle JavaScript in XML.
  • Look for email attachments where both Content-Type is text/xml and Content-Disposition is inline with a .xml filename — this combination triggers the vulnerable preview path in Roundcube.
  • PoC/exploit reference available at github.com/mbadanoiu/CVE-2020-13965 — useful for constructing test payloads or validating detection coverage.
  • ·The Snort rule (sid:2059898) is scoped to plaintext SMTP only (tls_state plaintext) — it will NOT fire on SMTPS/STARTTLS-encrypted email streams, leaving a detection gap for TLS-wrapped delivery.
  • ·The vulnerability affects Roundcube Webmail versions before 1.3.12 and 1.4.x before 1.4.5 — ensure version-based detection or asset inventory is scoped to these ranges only.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv6.1MEDIUM
vulncheck6.1MEDIUM
cisa6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.