Filtered by vendor Roundcube
Subscriptions
Filtered by product Webmail
Subscriptions
Total
68 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2011-1491 | 1 Roundcube | 1 Webmail | 2025-04-11 | N/A |
| The login form in Roundcube Webmail before 0.5.1 does not properly handle a correctly authenticated but unintended login attempt, which makes it easier for remote authenticated users to obtain sensitive information by arranging for a victim to login to the attacker's account and then compose an e-mail message, related to a "login CSRF" issue. | ||||
| CVE-2011-4078 | 2 Php, Roundcube | 2 Php, Webmail | 2025-04-11 | N/A |
| include/iniset.php in Roundcube Webmail 0.5.4 and earlier, when PHP 5.3.7 or 5.3.8 is used, allows remote attackers to trigger a GET request for an arbitrary URL, and cause a denial of service (resource consumption and inbox outage), via a Subject header containing only a URL, a related issue to CVE-2011-3379. | ||||
| CVE-2009-4076 | 1 Roundcube | 1 Webmail | 2025-04-09 | N/A |
| Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that modify user information via unspecified vectors, a different vulnerability than CVE-2009-4077. | ||||
| CVE-2009-0413 | 1 Roundcube | 1 Webmail | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in RoundCube Webmail (roundcubemail) 0.2 stable allows remote attackers to inject arbitrary web script or HTML via the background attribute embedded in an HTML e-mail message. | ||||
| CVE-2008-5620 | 1 Roundcube | 1 Webmail | 2025-04-09 | N/A |
| RoundCube Webmail (roundcubemail) before 0.2-beta allows remote attackers to cause a denial of service (memory consumption) via crafted size parameters that are used to create a large quota image. | ||||
| CVE-2008-5619 | 1 Roundcube | 1 Webmail | 2025-04-09 | N/A |
| html2text.php in Chuggnutt HTML to Text Converter, as used in PHPMailer before 5.2.10, RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta, Mahara, and AtMail Open 1.03, allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch. | ||||
| CVE-2007-6321 | 1 Roundcube | 1 Webmail | 2025-04-09 | N/A |
| Cross-site scripting (XSS) vulnerability in RoundCube webmail 0.1rc2, 2007-12-09, and earlier versions, when using Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via style sheets containing expression commands. | ||||
| CVE-2009-4077 | 1 Roundcube | 1 Webmail | 2025-04-09 | N/A |
| Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail 0.2.2 and earlier allows remote attackers to hijack the authentication of unspecified users for requests that send arbitrary emails via unspecified vectors, a different vulnerability than CVE-2009-4076. | ||||
| CVE-2005-4368 | 1 Roundcube | 1 Webmail | 2025-04-03 | N/A |
| roundcube webmail Alpha, with a default high verbose level ($rcmail_config['debug_level'] = 1), allows remote attackers to obtain the full path of the application via an invalid_task parameter, which leaks the path in an error message. | ||||
| CVE-2024-42008 | 1 Roundcube | 1 Webmail | 2025-03-13 | 9.3 Critical |
| A Cross-Site Scripting vulnerability in rcmail_action_mail_get->run() in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a malicious e-mail attachment served with a dangerous Content-Type header. | ||||
| CVE-2023-47272 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2024-11-21 | 6.1 Medium |
| Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). | ||||
| CVE-2021-44025 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2024-11-21 | 6.1 Medium |
| Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to XSS in handling an attachment's filename extension when displaying a MIME type warning message. | ||||
| CVE-2021-26925 | 2 Fedoraproject, Roundcube | 2 Fedora, Webmail | 2024-11-21 | 5.4 Medium |
| Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering. | ||||
| CVE-2020-18671 | 1 Roundcube | 1 Webmail | 2024-11-21 | 5.4 Medium |
| Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php. | ||||
| CVE-2020-18670 | 1 Roundcube | 1 Webmail | 2024-11-21 | 5.4 Medium |
| Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php. | ||||
| CVE-2020-16145 | 2 Fedoraproject, Roundcube | 2 Fedora, Webmail | 2024-11-21 | 6.1 Medium |
| Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15. | ||||
| CVE-2020-15562 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2024-11-21 | 6.1 Medium |
| An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists. | ||||
| CVE-2020-13964 | 3 Debian, Fedoraproject, Roundcube | 3 Debian Linux, Fedora, Webmail | 2024-11-21 | 6.1 Medium |
| An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object. | ||||
| CVE-2020-12640 | 2 Opensuse, Roundcube | 3 Backports Sle, Leap, Webmail | 2024-11-21 | 9.8 Critical |
| Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php. | ||||
| CVE-2020-12626 | 2 Debian, Roundcube | 2 Debian Linux, Webmail | 2024-11-21 | 6.5 Medium |
| An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered. | ||||