roundcubemail

Link	package \| bugs open \| bugs closed \| Wiki \| GitHub \| web search
Description	A PHP web-based mail client
Version	1.6.6-1 [extra]

Resolved

Group	Affected	Fixed	Severity	Status	Ticket
AVG-1551	1.4.10-2	1.4.11-1	High	Fixed
AVG-1388	1.4.9-1	1.4.10-1	High	Fixed	FS#69131
AVG-670	1.3.5-1	1.3.6-1	High	Fixed
AVG-506	1.3.2-1	1.3.3-1	High	Fixed
AVG-199	1.2.3-1	1.2.4-1	Medium	Fixed

Issue	Group	Severity	Remote	Type	Description
CVE-2021-26925	AVG-1551	High	Yes	Cross-site scripting	Roundcube before 1.4.11 allows cross-site scripting (XSS) via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
CVE-2020-35730	AVG-1388	High	Yes	Cross-site scripting	A security issue was found in Roundcube Webmail before version 1.4.10, 1.3.16 and 1.2.13. linkref_addindex in rcube_string_replacer.php allowed performing a...
CVE-2018-9846	AVG-670	High	Yes	Arbitrary command execution	In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid"...
CVE-2017-16651	AVG-506	High	Yes	Arbitrary filesystem access	Roundcube Webmail 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in...
CVE-2017-6820	AVG-199	Medium	Yes	Cross-site scripting	It has been discovered that rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted...

Advisories

Date	Advisory	Group	Severity	Type
12 Feb 2021	ASA-202102-27	AVG-1551	High	cross-site scripting
04 Jan 2021	ASA-202101-2	AVG-1388	High	cross-site scripting
19 Apr 2018	ASA-201804-8	AVG-670	High	arbitrary command execution
21 Nov 2017	ASA-201711-27	AVG-506	High	arbitrary filesystem access
14 Mar 2017	ASA-201703-10	AVG-199	Medium	cross-site scripting