Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A PHP web-based mail client
Version 1.6.5-1 [extra]


Group Affected Fixed Severity Status Ticket
AVG-1551 1.4.10-2 1.4.11-1 High Fixed
AVG-1388 1.4.9-1 1.4.10-1 High Fixed FS#69131
AVG-670 1.3.5-1 1.3.6-1 High Fixed
AVG-506 1.3.2-1 1.3.3-1 High Fixed
AVG-199 1.2.3-1 1.2.4-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2021-26925 AVG-1551 High Yes Cross-site scripting
Roundcube before 1.4.11 allows cross-site scripting (XSS) via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
CVE-2020-35730 AVG-1388 High Yes Cross-site scripting
A security issue was found in Roundcube Webmail before version 1.4.10, 1.3.16 and 1.2.13. linkref_addindex in rcube_string_replacer.php allowed performing a...
CVE-2018-9846 AVG-670 High Yes Arbitrary command execution
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid"...
CVE-2017-16651 AVG-506 High Yes Arbitrary filesystem access
Roundcube Webmail 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in...
CVE-2017-6820 AVG-199 Medium Yes Cross-site scripting
It has been discovered that rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted...


Date Advisory Group Severity Type
12 Feb 2021 ASA-202102-27 AVG-1551 High cross-site scripting
04 Jan 2021 ASA-202101-2 AVG-1388 High cross-site scripting
19 Apr 2018 ASA-201804-8 AVG-670 High arbitrary command execution
21 Nov 2017 ASA-201711-27 AVG-506 High arbitrary filesystem access
14 Mar 2017 ASA-201703-10 AVG-199 Medium cross-site scripting