CVE-2021-26925Cross-site Scripting in Webmail

CWE-79Cross-site Scripting5 documents5 sources
Severity
5.4MEDIUMNVD
EPSS
0.3%
top 50.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Roundcube WebmailFedoraproject Fedora
Timeline
PublishedFeb 9
Latest updateMay 24

Description

Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

NVDroundcube/webmail< 1.4.11

Also affects: Fedora 32, 33

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-xw9h-8vfr-ppf5: Roundcube before 12022-05-24
OSV
CVE-2021-26925: Roundcube before 12021-02-09
CVEList
CVE-2021-26925: Roundcube before 12021-02-09

📋Vendor Advisories

1
Debian
CVE-2021-26925: roundcube - Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) toke...2021
CVE-2021-26925 — Cross-site Scripting in Webmail | cvebase