Cross-Site Scripting Vulnerability in Roundcube Webmail
CVE-2020-13965

6.1MEDIUM

Key Information:

Vendor

Roundcube

Status
Webmail
Vendor
CVE Published:
9 June 2020

Badges

👾 Exploit Exists🟣 EPSS 83%🦅 CISA Reported

What is CVE-2020-13965?

A cross-site scripting (XSS) vulnerability was discovered in Roundcube Webmail prior to versions 1.3.12 and 1.4.5. This issue arises from the acceptance of text/xml as a valid file type for preview, which allows attackers to exploit the vulnerability through malicious XML attachments. By crafting a harmful XML file, an attacker could execute arbitrary scripts in the context of the user's session, potentially leading to data exposure and manipulation.

CISA has reported CVE-2020-13965

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2020-13965 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

References

https://github.com/roundcube/roundcubemail/releases/tag/1...
x_refsource_MISC
https://github.com/roundcube/roundcubemail/releases/tag/1...
x_refsource_MISC
https://github.com/roundcube/roundcubemail/commit/884eb61...
x_refsource_MISC

EPSS Score

83% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 🦅

    CISA Reported

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.