Webmail Roundcube Webmail

stack.watch can notify you when security vulnerabilities are reported in Roundcube Webmail. You can add multiple products that you use with Webmail to create your own personal software stack watcher.

By the Year

In 2020 there have been 6 vulnerabilities in Roundcube Webmail with an average score of 7.4 out of ten. Last year Webmail had 2 security vulnerabilities published. That is, 4 more vulnerabilities have already been reported in 2020 as compared to last year. However, the average CVE base score of the vulnerabilities in 2020 is greater by 1.55.

Year Vulnerabilities Average Score
2020 6 7.40
2019 2 5.85
2018 2 8.15

It may take a day or so for new Webmail vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest Roundcube Webmail Security Vulnerabilities

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5

CVE-2020-13964 6.1 - Medium - June 09, 2020

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.

XSS

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5

CVE-2020-13965 6.1 - Medium - June 09, 2020

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.

XSS

Roundcube Webmail before 1.4.4

CVE-2020-12640 9.8 - Critical - May 04, 2020

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plugin name to rcube_plugin_api.php.

Directory traversal

rcube_image.php in Roundcube Webmail before 1.4.4

CVE-2020-12641 9.8 - Critical - May 04, 2020

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

Argument Injection or Modification

An issue was discovered in Roundcube Webmail before 1.4.4

CVE-2020-12625 6.1 - Medium - May 04, 2020

An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.

XSS

An issue was discovered in Roundcube Webmail before 1.4.4

CVE-2020-12626 6.5 - Medium - May 04, 2020

An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.

352

Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names

CVE-2019-15237 7.4 - High - August 20, 2019

Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.

Improper Input Validation

In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails

CVE-2019-10740 4.3 - Medium - April 07, 2019

In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIME or PGP encrypted emails can wrap them as sub-parts within a crafted multipart email. The encrypted part(s) can further be hidden using HTML/CSS or ASCII newline characters. This modified multipart email can be re-sent by the attacker to the intended receiver. If the receiver replies to this (benign looking) email, they unknowingly leak the plaintext of the encrypted message part(s) back to the attacker.

In Roundcube from versions 1.2.0 to 1.3.5

CVE-2018-9846 8.8 - High - April 07, 2018

In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid" parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence. NOTE: this is less easily exploitable in 1.3.4 and later because of a Same Origin Policy protection mechanism.

Improper Input Validation

roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin

CVE-2018-1000071 7.5 - High - March 13, 2018

roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in exfiltration of gpg private key. This attack appear to be exploitable via network connectivity.

Incorrect Permission Assignment for Critical Resource