Описание
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
Roundcube Webmail contains a Cross-Site Scripting (XSS) vulnerability in its SVG handling. The application fails to properly sanitize the tag within SVG documents, allowing attackers to inject malicious scripts, potentially enabling session hijacking, credential theft, or unauthorized actions on behalf of the victim.
Отчет
This flaw is rated Moderate because successful exploitation requires user interaction - the victim must open an email containing a malicious SVG attachment or view inline SVG content. While this limits the attack surface, a successful exploit could allow an attacker to execute scripts in the victim's webmail session, potentially leading to session hijacking or unauthorized actions.
Ссылки на источники
Дополнительная информация
Статус:
EPSS
6.1 Medium
CVSS3
Связанные уязвимости
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cr ...
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.
Уязвимость почтового клиента RoundCube Webmail, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю проводить межсайтовые сценарные атаки (XSS)
EPSS
6.1 Medium
CVSS3