VDB
CVE-2018-19206
CVE-2018-19206
PUBLISHED
steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
EPSS 0.45% · 63.8th percentile
Risk Scores
EPSS Score
0.45%
63.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:16.04:LTS | roundcube | *, 0, 1.1.1+dfsg.1-2 |
| Ubuntu:Pro:18.04:LTS | roundcube | 1.3.1+dfsg.1-1, 1.3.3+dfsg.1-1, 1.3.3+dfsg.1-2 |
Exploit Intelligence
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.8 (circl)
- https://roundcube.net/news/2018/10/26/update-1.3.8-released (circl)
- DSA-4344 (circl)
- roundcube.yml (github-poc)
- roundcube.yml (github-poc)
- roundcube.yml (github-poc)
- roundcube.yml (github-poc)
- roundcube.yml (github-poc)
- roundcube.yml (github-poc)
Timeline
- Nov 12, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 11, 2023 EPSS Score
- May 13, 2023 EPSS Score
- Jul 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-19206 third-party-advisory
- https://roundcube.net/news/2018/10/26/update-1.3.8-released third-party-advisory
- https://github.com/roundcube/roundcubemail/issues/6410 third-party-advisory
- https://github.com/roundcube/roundcubemail/commit/102fbf1169116fef32a940b9fb1738bc45276059 third-party-advisory
- https://github.com/roundcube/roundcubemail/commit/adcac3b9de2728c34c4d2b107e54823b6a7f6a5b third-party-advisory
- https://github.com/roundcube/roundcubemail/releases/tag/1.3.8 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-19206 third-party-advisory