CVEブラウザに戻る

CVE-2020-35730

Known Exploited (CISA KEV)MEDIUM

6.1

CVSS Severity Score

EPSS Score65.4580%

EPSS Percentile97.94th

Published2020年12月28日

Last Modified2025年11月4日

Vulnerability Description

An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.

Affected Platforms (CPE)

📦

Roundcube

Webmail

< 1.2.13

📦

Roundcube

Webmail

>= 1.3.0 and < 1.3.16

📦

Roundcube

Webmail

>= 1.4 and < 1.4.10

💻

Fedoraproject

Fedora

= 32

💻

Fedoraproject

Fedora

= 33

💻

Debian

Debian Linux

= 9.0

References & Advisories

🔗 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491

🔗 https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10

🔗 https://github.com/roundcube/roundcubemail/releases/tag/1.2.13

🔗 https://github.com/roundcube/roundcubemail/releases/tag/1.3.16

🔗 https://github.com/roundcube/roundcubemail/releases/tag/1.4.10

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2/

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q/

🔗 https://roundcube.net/download/

関連する脆弱性情報

CVE-2001-095310.0

Kebi WebMail allows remote attackers to access the administrator menu and gain privileges via the /a/ hidden directory, which is i...

CVE-2003-120210.0

The checklogin function in omail.pl for omail webmail 0.98.4 and earlier allows remote attackers to execute arbitrary commands via...

CVE-2001-002110.0

MailMan Webmail 3.0.25 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the alternate...

CVE-2003-119210.0

Stack-based buffer overflow in IA WebMail Server 3.1.0 allows remote attackers to execute arbitrary code via a long GET request.