CISA Known Exploited Vulnerability (KEV)
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
June 26, 2024
July 17, 2024
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
References
- https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-13965-Cross%20Site-Scripting%20via%20Malicious%20XML%20Attachment-Roundcube
- https://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3
- https://github.com/roundcube/roundcubemail/compare/1.4.4…1.4.5
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.12
- https://github.com/roundcube/roundcubemail/releases/tag/1.4.5
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLESQ4LPJGMSWHQ4TBRTVQRDG7IXAZCW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODPJXBHZ32QSP4MYT2OBCALYXSUJ47SK/
- https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12
- https://www.debian.org/security/2020/dsa-4700