Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A PHP web-based mail client
Version 1.3.8-1 [community]


Group Affected Fixed Severity Status Ticket
AVG-670 1.3.5-1 1.3.6-1 High Fixed
AVG-506 1.3.2-1 1.3.3-1 High Fixed
AVG-199 1.2.3-1 1.2.4-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2018-9846 AVG-670 High Yes Arbitrary command execution
In Roundcube from versions 1.2.0 to 1.3.5, with the archive plugin enabled and configured, it's possible to exploit the unsanitized, user-controlled "_uid"...
CVE-2017-6820 AVG-199 Medium Yes Cross-site scripting
It has been discovered that rcube_utils.php in Roundcube before 1.1.8 and before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted...
CVE-2017-16651 AVG-506 High Yes Arbitrary filesystem access
Roundcube Webmail 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in...


Date Advisory Group Severity Description
19 Apr 2018 ASA-201804-8 AVG-670 High arbitrary command execution
21 Nov 2017 ASA-201711-27 AVG-506 High arbitrary filesystem access
14 Mar 2017 ASA-201703-10 AVG-199 Medium cross-site scripting