CVE-2020-35730 — Vulnetix

Try Vulnetix Request Demo

CVE-2020-35730 PUBLISHED KEV

An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.

EPSS 64.81% · 98.4th percentile

Risk Scores

EPSS Score

64.81%

98.4th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:20.04:LTS	roundcube	1.4.3+dfsg.1-1ubuntu0.1~esm1, 1.4.3+dfsg.1-1, 1.4.2+dfsg.1-1
Ubuntu:Pro:18.04:LTS	roundcube	1.3.3+dfsg.1-2, 0, 1.3.0+dfsg.1-1
Ubuntu:Pro:16.04:LTS	roundcube	0, ,

Timeline

Dec 27, 2020 CVE Published
Dec 28, 2020 PoC Published
Apr 14, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Jun 22, 2023 CISA KEV Added
Jun 22, 2023 PoC Published
Jun 22, 2023 CVE Updated
Jun 23, 2023 EPSS Score
Jun 28, 2023 PoC Published
Jul 8, 2023 EPSS Score
Nov 8, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2020-35730 third-party-advisory
https://github.com/roundcube/roundcubemail/commit/0bceba301aa621ecc0263eac17beee2a4cef0c6d third-party-advisory
https://github.com/roundcube/roundcubemail/commit/a06ec1dcf9c972d302b16e1ac6aa079a4f6a1c3e third-party-advisory
https://github.com/roundcube/roundcubemail/commit/47e4d44f62ea16f923761d57f1773a66d51afad4 third-party-advisory
https://ubuntu.com/security/notices/USN-5182-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2020-35730 third-party-advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog third-party-advisory

Open in Interactive Console →