CVE-2021-46144Cross-site Scripting in Roundcube

CWE-79Cross-site Scripting6 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
1.1%
top 22.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
RoundcubeDebian RoundcubeDebian Linux
Timeline
PublishedJan 6
Latest updateAug 8

Description

Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail message with crafted Cascading Style Sheets (CSS) token sequences.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

debiandebian/roundcube< roundcube 1.6.0+dfsg-1 (bookworm)
NVDroundcube/roundcube1.5.01.5.2+1
Debianroundcube/roundcube< 1.4.13+dfsg.1-1~deb11u1+3

Also affects: Debian Linux 10.0, 11.0, 9.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
roundcube vulnerabilities2022-08-08
GHSA
GHSA-8373-wxqf-ph2h: Roundcube before 12022-01-07
OSV
CVE-2021-46144: Roundcube before 12022-01-06

📋Vendor Advisories

2
Ubuntu
Roundcube Webmail vulnerabilities2022-08-08
Debian
CVE-2021-46144: roundcube - Roundcube before 1.4.13 and 1.5.x before 1.5.2 allows XSS via an HTML e-mail mes...2021