CVE-2012-4668

Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.openwall.com/lists/oss-security/2012/08/20/9
http://www.openwall.com/lists/oss-security/2012/08/20/2
http://trac.roundcube.net/ticket/1488613
http://sourceforge.net/news/?group_id=139281&id=309011
https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:roundcube:webmail:0.8.0:::::::*
	cpe:2.3:a:roundcube:webmail:0.7.2:::::::*
	cpe:2.3:a:roundcube:webmail:0.5.2:::::::*
	cpe:2.3:a:roundcube:webmail:0.5:beta::::::
	cpe:2.3:a:roundcube:webmail:0.5.1:::::::*
	cpe:2.3:a:roundcube:webmail:0.4.2:::::::*
	cpe:2.3:a:roundcube:webmail:0.3:beta::::::
	cpe:2.3:a:roundcube:webmail:0.2:::::::*
	cpe:2.3:a:roundcube:webmail:0.1.1:::::::*
	cpe:2.3:a:roundcube:webmail:0.1:alpha::::::
	cpe:2.3:a:roundcube:webmail:0.5:::::::*
	cpe:2.3:a:roundcube:webmail:0.5.4:::::::*
	cpe:2.3:a:roundcube:webmail:0.1:rc1::::::
	cpe:2.3:a:roundcube:webmail:0.4:::::::*
	cpe:2.3:a:roundcube:webmail:0.1:beta2::::::
	cpe:2.3:a:roundcube:webmail::::::::
	cpe:2.3:a:roundcube:webmail:0.1:beta::::::
	cpe:2.3:a:roundcube:webmail:0.3:rc1::::::
	cpe:2.3:a:roundcube:webmail:0.5:rc::::::
	cpe:2.3:a:roundcube:webmail:0.2:alpha::::::
	cpe:2.3:a:roundcube:webmail:0.1:rc2::::::
	cpe:2.3:a:roundcube:webmail:0.7:::::::*
	cpe:2.3:a:roundcube:webmail:0.6:::::::*
	cpe:2.3:a:roundcube:webmail:0.2.2:::::::*
	cpe:2.3:a:roundcube:webmail:0.3:::::::*
	cpe:2.3:a:roundcube:webmail:0.4:beta::::::
	cpe:2.3:a:roundcube:webmail:0.7.3:::::::*
	cpe:2.3:a:roundcube:webmail:0.4.1:::::::*
	cpe:2.3:a:roundcube:webmail:0.7.1:::::::*
	cpe:2.3:a:roundcube:webmail:0.5.3:::::::*
	cpe:2.3:a:roundcube:webmail:0.2:beta::::::
	cpe:2.3:a:roundcube:webmail:0.3.1:::::::*
	cpe:2.3:a:roundcube:webmail:0.2.1:::::::*
	cpe:2.3:a:roundcube:webmail:0.1:::::::*

Information

Published : 2012-08-25 03:29

Updated : 2012-08-26 21:00

NVD link : CVE-2012-4668

Mitre link : CVE-2012-4668

JSON object : View

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Products Affected

roundcube

webmail

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.openwall.com/lists/oss-security/2012/08/20/9", "name": "[oss-security] 20120820 Re: CVE-request: Roundcube XSS issues", "tags": [], "refsource": "MLIST"}, {"url": "http://www.openwall.com/lists/oss-security/2012/08/20/2", "name": "[oss-security] 20120820 CVE-request: Roundcube XSS issues", "tags": [], "refsource": "MLIST"}, {"url": "http://trac.roundcube.net/ticket/1488613", "name": "http://trac.roundcube.net/ticket/1488613", "tags": [], "refsource": "CONFIRM"}, {"url": "http://sourceforge.net/news/?group_id=139281&id=309011", "name": "http://sourceforge.net/news/?group_id=139281&id=309011", "tags": [], "refsource": "CONFIRM"}, {"url": "https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32", "name": "https://github.com/roundcube/roundcubemail/commit/c086978f6a91eacb339fd2976202fca9dad2ef32", "tags": ["Patch"], "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in Roundcube Webmail 0.8.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the signature in an email."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-79"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2012-4668", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}}, "publishedDate": "2012-08-25T10:29Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.7.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.5.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.5:beta:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.5.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.4.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.3:beta:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.1:alpha:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.5.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.1:rc1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.1:beta2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "0.8.1"}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.1:beta:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.3:rc1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.5:rc:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.2:alpha:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.1:rc2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.2.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.4:beta:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.7.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.4.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.7.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.5.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.2:beta:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.3.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:roundcube:webmail:0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2012-08-27T04:00Z"}

4.3 /10