CVE-2020-35730
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
CVSS
—
No CVSS
EPSS
32.8%
p98
KEV
YES
Jun 22, 2023
Exploit Today
79
0-100
Published: — · Last modified: —
Product
Roundcube / Roundcube Webmail
Vulnerability
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
Added to KEV
Jun 22, 2023
Remediate by
Jul 13, 2023
Known ransomware use
No
Summary description
Roundcube Webmail contains a cross-site scripting (XSS) vulnerability that allows an attacker to send a plain text e-mail message with Javascript in a link reference element that is mishandled by linkref_addinindex in rcube_string_replacer.php.
Required action
Apply updates per vendor instructions.
Notes
https://roundcube.net/news/2020/12/27/security-updates-1.4.10-1.3.16-and-1.2.13; https://nvd.nist.gov/vuln/detail/CVE-2020-35730