roundcube webmail CVE-2020-13965 vulnerability in Roundcube and Other Products
Published on June 9, 2020

product logo product logo product logo
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.

Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows a remote attacker to manipulate data via a malicious XML attachment.

The following remediation steps are recommended / required by July 17, 2024: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2020-13965 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2020-13965 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2020-13965

You can be notified by stack.watch whenever vulnerabilities like CVE-2020-13965 are published in these products:

Roundcube Webmail
 
Debian Linux
 
Fedora Project Fedora
 

What versions are vulnerable to CVE-2020-13965?