Vulnerability Description
Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Roundcube | Webmail | <= 0.3.1 |
Related Weaknesses (CWE)
References
- http://trac.roundcube.net/ticket/1486449Patch
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:048
- https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail
- http://trac.roundcube.net/ticket/1486449Patch
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:048
- https://secure.grepular.com/DNS_Prefetch_Exposure_on_Thunderbird_and_Webmail
FAQ
What is CVE-2010-0464?
CVE-2010-0464 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the networ...
How severe is CVE-2010-0464?
CVE-2010-0464 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2010-0464?
Check the references section above for vendor advisories and patch information. Affected products include: Roundcube Webmail.