An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.
References
Link | Resource |
---|---|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491 | Issue Tracking Mailing List |
https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10 | Patch |
https://github.com/roundcube/roundcubemail/releases/tag/1.2.13 | Release Notes |
https://github.com/roundcube/roundcubemail/releases/tag/1.3.16 | Release Notes |
https://github.com/roundcube/roundcubemail/releases/tag/1.4.10 | Release Notes |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2/ | Mailing List Release Notes |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q/ | Mailing List Release Notes |
https://roundcube.net/download/ | Product |
https://www.alexbirnberg.com/roundcube-xss.html | Broken Link |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-12-28T19:37:08
Updated: 2021-01-13T03:06:08
Reserved: 2020-12-27T00:00:00
Link: CVE-2020-35730
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-12-28T20:15:13.150
Modified: 2024-06-27T19:16:14.907
Link: CVE-2020-35730
JSON object: View
Redhat Information
No data.
CWE