CSRF Vulnerability in Roundcube Webmail by Roundcube
CVE-2020-12626

6.5MEDIUM

Key Information:

Vendor

Roundcube

Status
Webmail
Vendor
CVE Published:
4 May 2020

What is CVE-2020-12626?

A vulnerability in Roundcube Webmail allows a Cross-Site Request Forgery (CSRF) attack to be executed, leading to authenticated users being forcibly logged out of their accounts. This occurs due to the inadequacy of the POST method being taken into account during the logout process. Users running versions prior to 1.4.4 are particularly susceptible. To mitigate this issue, updating to the latest version is essential. Relevant patches and updates can be found in the official release notes and comparison logs.

References

https://github.com/roundcube/roundcubemail/releases/tag/1...
x_refsource_MISC
https://github.com/roundcube/roundcubemail/compare/1.4.3....
x_refsource_MISC
https://github.com/roundcube/roundcubemail/pull/7302
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2020-12626 : CSRF Vulnerability in Roundcube Webmail by Roundcube