Vulnerability in N/a
CVE-2020-13965
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
EPSS: 0.718 (98.8th percentile) — read the EPSS interpretation.
Affected products
- N/a — versions n/a
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Public proof-of-concept exploits
References
- github.com/roundcube/roundcubemail/releases/tag/1.4.5 (x_refsource_MISC)
- github.com/roundcube/roundcubemail/releases/tag/1.3.12 (x_refsource_MISC)
- github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceec… (x_refsource_MISC)
- github.com/roundcube/roundcubemail/compare/1.4.4...1.4.5 (x_refsource_MISC)
- roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12 (x_refsource_CONFIRM)
- DSA-4700 (vendor-advisory, x_refsource_DEBIAN)
- FEDORA-2020-2a1a6a8432 (vendor-advisory, x_refsource_FEDORA)
- FEDORA-2020-aeffd92b77 (vendor-advisory, x_refsource_FEDORA)
- github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-13965-Cross Site-Scri… (x_refsource_MISC)
Frequently asked questions
- What is CVE-2020-13965?
- CVE-2020-13965 is a vulnerability in N/a. Published 2020-06-09.
- Is CVE-2020-13965 known to be exploited?
- Yes. CVE-2020-13965 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2024-06-26), indicating it is being actively exploited. 3 public proof-of-concept repositories are indexed.