Vulnerability in N/a
CVE-2020-35730
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addi…
EPSS: 0.674 (98.6th percentile) — read the EPSS interpretation.
Affected products
- N/a — versions n/a
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply updates per vendor instructions.
Public proof-of-concept exploits
References
- roundcube.net/download/ (x_refsource_MISC)
- github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10 (x_refsource_CONFIRM)
- bugs.debian.org/cgi-bin/bugreport.cgi (x_refsource_CONFIRM)
- www.alexbirnberg.com/roundcube-xss.html (x_refsource_MISC)
- github.com/roundcube/roundcubemail/releases/tag/1.4.10 (x_refsource_CONFIRM)
- github.com/roundcube/roundcubemail/releases/tag/1.3.16 (x_refsource_CONFIRM)
- github.com/roundcube/roundcubemail/releases/tag/1.2.13 (x_refsource_CONFIRM)
- FEDORA-2021-2cb0643316 (vendor-advisory, x_refsource_FEDORA)
- FEDORA-2021-73359af51c (vendor-advisory, x_refsource_FEDORA)
Frequently asked questions
- What is CVE-2020-35730?
- CVE-2020-35730 is a vulnerability in N/a. Published 2020-12-28.
- Is CVE-2020-35730 known to be exploited?
- Yes. CVE-2020-35730 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2023-06-22), indicating it is being actively exploited. 9 public proof-of-concept repositories are indexed.