rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.
References
Link | Resource |
---|---|
https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released | Release Notes Vendor Advisory |
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124 | Patch Release Notes Third Party Advisory |
https://github.com/roundcube/roundcubemail/releases/tag/1.2.4 | Patch Release Notes Third Party Advisory |
https://github.com/roundcube/roundcubemail/releases/tag/1.1.8 | Patch Release Notes Third Party Advisory |
https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305 | Issue Tracking Patch Third Party Advisory |
https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4 | Issue Tracking Patch Third Party Advisory |
http://www.securityfocus.com/bid/96817 |
Configurations
Configuration 1 (hide)
|
Information
Published : 2017-03-11 21:59
Updated : 2018-10-30 09:27
NVD link : CVE-2017-6820
Mitre link : CVE-2017-6820
JSON object : View
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Products Affected
roundcube
- webmail