Cross-Site Scripting Vulnerability in Roundcube Webmail by Roundcube
CVE-2015-5381

6.1MEDIUM

Key Information:

Vendor

Roundcube

Status
Roundcube Webmail
Webmail
Vendor
CVE Published:
23 May 2017

What is CVE-2015-5381?

An XSS vulnerability exists in Roundcube Webmail versions 1.1.x prior to 1.1.2, specifically in the program/include/rcmail.php file. This flaw allows remote attackers to inject arbitrary web scripts or HTML code via the _mbox parameter to the default URI. Exploitation of this vulnerability could lead to unauthorized actions carried out on behalf of users, compromising their personal data and security.

References

http://www.openwall.com/lists/oss-security/2015/07/07/2
mailing-listx_refsource_MLIST
http://trac.roundcube.net/ticket/1490417
x_refsource_CONFIRM
https://github.com/roundcube/roundcubemail/issues/4837
x_refsource_CONFIRM

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.