Back to CVE Browser

CVE-2020-35730

Known Exploited (CISA KEV)MEDIUM

6.1

CVSS Severity Score

EPSS Score65.4580%

EPSS Percentile97.94th

PublishedDec 28, 2020

Last ModifiedNov 4, 2025

Vulnerability Description

An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.

Affected Platforms (CPE)

📦

Roundcube

Webmail

< 1.2.13

📦

Roundcube

Webmail

>= 1.3.0 and < 1.3.16

📦

Roundcube

Webmail

>= 1.4 and < 1.4.10

💻

Fedoraproject

Fedora

= 32

💻

Fedoraproject

Fedora

= 33

💻

Debian

Debian Linux

= 9.0

References & Advisories

🔗 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491

🔗 https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10

🔗 https://github.com/roundcube/roundcubemail/releases/tag/1.2.13

🔗 https://github.com/roundcube/roundcubemail/releases/tag/1.3.16

🔗 https://github.com/roundcube/roundcubemail/releases/tag/1.4.10

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2/

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q/

🔗 https://roundcube.net/download/

Related Vulnerabilities

CVE-2001-095310.0

Kebi WebMail allows remote attackers to access the administrator menu and gain privileges via the /a/ hidden directory, which is i...

CVE-2003-120210.0

The checklogin function in omail.pl for omail webmail 0.98.4 and earlier allows remote attackers to execute arbitrary commands via...

CVE-2001-002110.0

MailMan Webmail 3.0.25 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the alternate...

CVE-2003-119210.0

Stack-based buffer overflow in IA WebMail Server 3.1.0 allows remote attackers to execute arbitrary code via a long GET request.