Cross-Site Scripting in Roundcube Webmail Affects Older Versions
CVE-2020-13964

6.1MEDIUM

Key Information:

Vendor

Roundcube

Status
Webmail
Vendor
CVE Published:
9 June 2020

What is CVE-2020-13964?

A Cross-Site Scripting (XSS) vulnerability exists in Roundcube Webmail prior to version 1.3.12 and in the 1.4.x series before 1.4.5. The flaw is found in the file include/rcmail_output_html.php, where insufficient sanitization of the username template object allows an attacker to inject malicious scripts. This could potentially lead to unauthorized actions being executed in the context of the user's session, compromising sensitive data and threatening user security. It is crucial for users to upgrade to the specified versions to mitigate this risk.

References

https://github.com/roundcube/roundcubemail/releases/tag/1...
x_refsource_MISC
https://github.com/roundcube/roundcubemail/commit/37e2bc7...
x_refsource_MISC
https://github.com/roundcube/roundcubemail/releases/tag/1...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2020-13964 : Cross-Site Scripting in Roundcube Webmail Affects Older Versions