roundcube roundcube CVE-2020-35730 vulnerability in Roundcube and Other Products
Published on December 28, 2020

product logo product logo product logo
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.

Vendor Advisory NVD

Known Exploited Vulnerability

This Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.

The following remediation steps are recommended / required by July 13, 2023: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2020-35730 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2020-35730 has been classified to as a XSS vulnerability or weakness.

Products Associated with CVE-2020-35730

You can be notified by whenever vulnerabilities like CVE-2020-35730 are published in these products:


What versions are vulnerable to CVE-2020-35730?