CVE-2020-35730

Опубликовано: 28 дек. 2020

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Средний

Описание

An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.

Ссылки

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491
Issue Tracking
Mailing List
https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10
Patch
https://github.com/roundcube/roundcubemail/releases/tag/1.2.13
Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.3.16
Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.4.10
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2/
Mailing List
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q/
Mailing List
Release Notes
https://roundcube.net/download/
Product
https://www.alexbirnberg.com/roundcube-xss.html
Broken Link
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491
Issue Tracking
Mailing List
https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10
Patch
https://github.com/roundcube/roundcubemail/releases/tag/1.2.13
Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.3.16
Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.4.10
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2/
Mailing List
Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q/
Mailing List
Release Notes
https://roundcube.net/download/
Product
https://www.alexbirnberg.com/roundcube-xss.html
Broken Link
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-35730
US Government Resource

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

Версия до 1.2.13 (исключая)

cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

Версия от 1.3.0 (включая) до 1.3.16 (исключая)

cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*

Версия от 1.4 (включая) до 1.4.10 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Конфигурация 3

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

EPSS

Процентиль: 99%

0.69032

Средний

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

CVE-2020-35730

CVSS3: 6.1

ubuntu

около 5 лет назад

CVE-2020-35730

CVSS3: 6.1

debian

около 5 лет назад

An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x ...

GHSA-mr5j-h8xf-5m2m

CVSS3: 6.1

github

больше 3 лет назад

linkref_addindex in rcube_string_replacer.php in Roundcube Webmail before 1.4.10 allows XSS via a crafted email message.

BDU:2021-01759

CVSS3: 6.1

fstec

около 5 лет назад

Уязвимость функции linkref_addindex компонента rcube_string_replacer.php почтового клиента Roundcube, связанная с недостатками используемых мер по защите структур веб-страницы, позволяющая нарушителю оказать воздействие на целостность данных

openSUSE-SU-2021:0931-1

suse-cvrf

больше 4 лет назад

Security update for roundcubemail

EPSS

Процентиль: 99%

0.69032

Средний

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79