Cross-Site Scripting Vulnerability in Roundcube Email Client
CVE-2021-46144

6.1MEDIUM

Key Information:

Vendor

Roundcube

Status
Roundcube
Vendor
CVE Published:
6 January 2022

What is CVE-2021-46144?

Roundcube, the popular webmail client, suffers from a Cross-Site Scripting (XSS) vulnerability that allows attackers to exploit HTML email messages. By crafting malicious Cascading Style Sheets (CSS) token sequences, an attacker can inject harmful scripts, potentially compromising user data and email security. This vulnerability affects versions prior to 1.4.13 and 1.5.x before 1.5.2, highlighting the importance of regular updates to maintain a secure email environment.

References

https://github.com/roundcube/roundcubemail/commit/8894fdd...
x_refsource_MISC
https://roundcube.net/news/2021/12/30/update-1.5.2-released
x_refsource_MISC
https://github.com/roundcube/roundcubemail/commit/b2400a4...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2021-46144 : Cross-Site Scripting Vulnerability in Roundcube Email Client