Vulnerability CVE-2020-16145: Information

Description

Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in HTML messages during message display via a crafted SVG document. This issue has been fixed in 1.4.8 and 1.3.15.

Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-16145
Published: Aug. 12, 2020
Modified: Nov. 7, 2023
Error type identifier: CWE-79

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
roundcubesisyphus1.4-alt11.6.5-alt1ALT-PU-2019-3109-1240511Fixed
roundcubep101.4-alt11.4.11-alt2ALT-PU-2019-3109-1240511Fixed
roundcubep91.4.8-alt11.4.10-alt1ALT-PU-2020-2554-1256155Fixed
roundcubec10f11.4-alt11.4.11-alt2ALT-PU-2019-3109-1240511Fixed
roundcubec9f21.4.8-alt11.4.8-alt1ALT-PU-2020-2554-1256155Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/roundcube/roundcubemail/commit/a71bf2e8d4a64ff2c83fdabc1e8cb0c045a41ef4
  • Patch
  • Third Party Advisory
https://github.com/roundcube/roundcubemail/releases/tag/1.4.8
  • Release Notes
  • Third Party Advisory
https://github.com/roundcube/roundcubemail/releases/tag/1.3.15
  • Third Party Advisory
https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b#diff-d3bb3391c79904494c60ee2ac2f33070
  • Patch
  • Third Party Advisory
openSUSE-SU-2020:1516
  • Broken Link
FEDORA-2020-d0f8f20cfc
    FEDORA-2020-b1e023936e

        1. Configuration 1

          cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
          End excliding
          1.3.15
          cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
          Start including
          1.4.0
          End excliding
          1.4.8

          Configuration 2

          cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
          cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
      Version: v24.5.1
      Back to top