CVE-2015-8793

EUVD-2015-8665
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than CVE-2011-2937.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
Affected Products (NVD)
VendorProductVersion
roundcubewebmail
𝑥
≤ 1.0.5
roundcubewebmail
1.1.0
roundcubewebmail
1.1.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
roundcube
bookworm
1.6.5+dfsg-1+deb12u4
fixed
bookworm (security)
1.6.5+dfsg-1+deb12u4
fixed
bullseye
1.4.15+dfsg.1-1+deb11u4
fixed
bullseye (security)
1.4.15+dfsg.1-1+deb11u4
fixed
sid
1.6.9+dfsg-1
fixed
squeeze
not-affected
trixie
1.6.9+dfsg-1
fixed
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
roundcube
artful
ignored
bionic
not-affected
cosmic
not-affected
disco
not-affected
precise
ignored
trusty
dne
vivid
ignored
wily
ignored
xenial
not-affected
yakkety
ignored
zesty
ignored
Common Weakness Enumeration
References
http://trac.roundcube.net/ticket/1490417
http://trac.roundcube.net/wiki/Changelog#RELEASE1.1.2
https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/
http://trac.roundcube.net/ticket/1490417
http://trac.roundcube.net/wiki/Changelog#RELEASE1.1.2
https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/