Vulnerability Description
Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than CVE-2011-2937.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Roundcube | Webmail | <= 1.0.5 |
Related Weaknesses (CWE)
References
- http://trac.roundcube.net/ticket/1490417ExploitIssue TrackingPatch
- http://trac.roundcube.net/wiki/Changelog#RELEASE1.1.2Release Notes
- https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/PatchVendor Advisory
- http://trac.roundcube.net/ticket/1490417ExploitIssue TrackingPatch
- http://trac.roundcube.net/wiki/Changelog#RELEASE1.1.2Release Notes
- https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/PatchVendor Advisory
FAQ
What is CVE-2015-8793?
CVE-2015-8793 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox par...
How severe is CVE-2015-8793?
CVE-2015-8793 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-8793?
Check the references section above for vendor advisories and patch information. Affected products include: Roundcube Webmail.