CVE-2019-15237

Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, leading to homograph attacks.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.4 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 43%
VendorProductVersion
roundcubewebmail
𝑥
≤ 1.3.9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
roundcube
bullseye (security)
vulnerable
bullseye
ignored
buster
ignored
stretch
no-dsa
bookworm
1.6.5+dfsg-1+deb12u4
fixed
bookworm (security)
1.6.5+dfsg-1+deb12u4
fixed
sid
1.6.9+dfsg-1
fixed
trixie
1.6.9+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
roundcube
noble
Fixed 1.5.0+dfsg.1-2
released
mantic
Fixed 1.5.0+dfsg.1-2
released
lunar
Fixed 1.5.0+dfsg.1-2
released
kinetic
Fixed 1.5.0+dfsg.1-2
released
jammy
Fixed 1.5.0+dfsg.1-2
released
impish
ignored
hirsute
ignored
groovy
ignored
focal
needed
eoan
ignored
disco
ignored
bionic
needed
xenial
needed
trusty
dne
References
https://github.com/roundcube/roundcubemail/issues/6891
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5/
https://github.com/roundcube/roundcubemail/issues/6891
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TFFMSO5WKEYSGMTZPZFF4ZADUJ57PRN5/