CVE-2021-26925

EUVD-2021-13707
Roundcube before 1.4.11 allows XSS via crafted Cascading Style Sheets (CSS) token sequences during HTML email rendering.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
Affected Products (NVD)
VendorProductVersion
roundcubewebmail
𝑥
< 1.4.11
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
roundcube
bookworm
1.6.5+dfsg-1+deb12u4
fixed
bookworm (security)
1.6.5+dfsg-1+deb12u4
fixed
bullseye
1.4.15+dfsg.1-1+deb11u4
fixed
bullseye (security)
1.4.15+dfsg.1-1+deb11u4
fixed
buster
not-affected
sid
1.6.9+dfsg-1
fixed
stretch
not-affected
trixie
1.6.9+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
roundcube
bionic
not-affected
focal
not-affected
groovy
ignored
hirsute
ignored
impish
Fixed 1.4.11+dfsg.1-4
released
jammy
Fixed 1.5.0+dfsg.1-2
released
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5QPAMYM2DQODSCQIAVNFJR2ETG7WMJOD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q752JPOHTR6H72FK3EIPJZ5O24Z7RGLM/
https://roundcube.net/news/2021/02/08/security-update-1.4.11
https://github.com/roundcube/roundcubemail/commit/9dc276d5f26042db02754fa1bac6fbd683c6d596
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5QPAMYM2DQODSCQIAVNFJR2ETG7WMJOD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q752JPOHTR6H72FK3EIPJZ5O24Z7RGLM/
https://roundcube.net/news/2021/02/08/security-update-1.4.11