Search
Total
8 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-8114 | 1 Roundcube | 2 Roundcube Webmail, Webmail | 2019-10-03 | 6.5 MEDIUM | 8.8 HIGH |
| Roundcube Webmail allows arbitrary password resets by authenticated users. This affects versions before 1.0.11, 1.1.x before 1.1.9, and 1.2.x before 1.2.5. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin. | |||||
| CVE-2015-5381 | 1 Roundcube | 2 Roundcube Webmail, Webmail | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI. | |||||
| CVE-2015-5382 | 1 Roundcube | 2 Roundcube Webmail, Webmail | 2018-10-30 | 4.0 MEDIUM | 6.5 MEDIUM |
| program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard. | |||||
| CVE-2015-5383 | 1 Roundcube | 2 Roundcube Webmail, Webmail | 2018-10-30 | 5.0 MEDIUM | 7.5 HIGH |
| Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory. | |||||
| CVE-2015-8864 | 2 Opensuse, Roundcube | 4 Leap, Opensuse, Roundcube Webmail and 1 more | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068. | |||||
| CVE-2016-4068 | 2 Opensuse, Roundcube | 4 Leap, Opensuse, Roundcube Webmail and 1 more | 2018-10-30 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864. | |||||
| CVE-2015-8770 | 1 Roundcube | 1 Roundcube Webmail | 2018-10-09 | 6.0 MEDIUM | 7.5 HIGH |
| Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php. | |||||
| CVE-2015-8794 | 1 Roundcube | 1 Roundcube Webmail | 2016-02-25 | 4.0 MEDIUM | 6.5 MEDIUM |
| Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling. | |||||