CVE-2020-35730

Name
CVE-2020-35730
Description
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491
Patch https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10
Vendor Advisory https://roundcube.net/download/
CONFIRM https://github.com/roundcube/roundcubemail/releases/tag/1.4.10
CONFIRM https://github.com/roundcube/roundcubemail/releases/tag/1.2.13
MISC https://www.alexbirnberg.com/roundcube-xss.html
CONFIRM https://github.com/roundcube/roundcubemail/releases/tag/1.3.16
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:roundcube:roundcube:*:*:*:*:*:*:*:* roundcube >= None < 1.4.10
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:* webmail >= None < 1.4.10
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:* webmail >= 1.4 < 1.4.10
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:* webmail >= 1.3.0 < 1.3.16
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:* webmail >= None < 1.2.13

Vulnerable and fixed packages

Source package Branch Version Maintainer Status