Roundcube Webmail vulnerabilities

7 known vulnerabilities affecting roundcube/roundcube_webmail.

Total CVEs

7

CISA KEV

0

Public exploits

1

Exploited in wild

0

Severity breakdown

HIGH2MEDIUM5

Vulnerabilities

Page 1 of 1

CVE-2015-5383HIGHCVSS 7.5v1.1.12017-05-23

CVE-2015-5383 [HIGH] CWE-200 CVE-2015-5383: Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by read Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory.

CVE-2015-5381MEDIUMCVSS 6.1v1.1.12017-05-23

CVE-2015-5381 [MEDIUM] CWE-79 CVE-2015-5381: Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x be Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.

CVE-2015-5382MEDIUMCVSS 6.5≤ 1.0.5v1.1.12017-05-23

CVE-2015-5382 [MEDIUM] CWE-200 CVE-2015-5382: program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.

CVE-2015-8864MEDIUMCVSS 6.1v1.1.1v1.1.2+1 more2017-04-13

CVE-2015-8864 [MEDIUM] CWE-79 CVE-2015-8864: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 al Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068.

CVE-2016-4068MEDIUMCVSS 6.1v1.1.1v1.1.2+1 more2017-04-13

CVE-2016-4068 [MEDIUM] CVE-2016-4068: Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 al Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.

CVE-2015-8770HIGHCVSS 7.5PoC≤ 1.0.7v1.1.0+3 more2016-01-29

CVE-2015-8770 [HIGH] CWE-22 CVE-2015-8770: Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php.

CVE-2015-8794MEDIUMCVSS 6.5≤ 1.0.5v1.1.0+1 more2016-01-29

CVE-2015-8794 [MEDIUM] CWE-22 CVE-2015-8794: Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0 Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling.