FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-25 11:22:49 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
038a5808-24b3-11e5-b0c8-bf4d8935d4faroundcube -- multiple vulnerabilities

Roundcube reports:

We just published updates to both stable versions 1.0 and 1.1 after fixing many minor bugs and adding some security improvements to the 1.1 release branch. Version 1.0.6 comes with cherry-picked fixes from the more recent version to ensure proper long term support especially in regards of security and compatibility.



The security-related fixes in particular are:



* XSS vulnerability in _mbox argument

* security improvement in contact photo handling

* potential info disclosure from temp directory


Discovery 2015-05-30
Entry 2015-07-07
roundcube
ge 1.1.0,1 lt 1.1.2,1

< 1.0.6,1

CVE-2015-5381
CVE-2015-5383
http://openwall.com/lists/oss-security/2015/07/06/10
https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released/
125f5958-b611-11e6-a9a5-b499baebfeafRoundcube -- arbitrary command execution

The Roundcube project reports

steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the sendmail program is enabled, does not properly restrict the use of custom envelope-from addresses on the sendmail command line, which allows remote authenticated users to execute arbitrary code via a modified HTTP request that sends a crafted e-mail message.


Discovery 2016-11-29
Entry 2016-11-29
Modified 2016-12-14
roundcube
< 1.2.3,1

CVE-2016-9920
94858
http://www.openwall.com/lists/oss-security/2016/12/08/17
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-123
35c0b572-125a-11de-a964-0030843d3802roundcube -- webmail script insertion and php code injection

Secunia reports:

Some vulnerabilities have been reported in RoundCube Webmail, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct script insertion attacks and compromise a vulnerable system.

The HTML "background" attribute within e.g. HTML emails is not properly sanitised before being used. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site if a malicious email is viewed.

Input passed via a vCard is not properly sanitised before being used in a call to "preg_replace()" with the "e" modifier in program/include/rcube_vcard.php. This can be exploited to inject and execute arbitrary PHP code by e.g. tricking a user into importing a malicious vCard file.


Discovery 2009-01-21
Entry 2009-03-16
Modified 2009-03-26
roundcube
< 0.2.1,1

CVE-2009-0413
http://secunia.com/advisories/33622/
http://sourceforge.net/forum/forum.php?forum_id=927958
http://trac.roundcube.net/changeset/2245
http://trac.roundcube.net/ticket/1485689
42a4d82d-4603-11ec-8be6-d4c9ef517024Roundcube -- Multiple vulnerabilities

The Roundcube project reports:

XSS issue in handling attachment filename extension in mimetype mismatch warning

possible SQL injection via some session variables


Discovery 2021-11-12
Entry 2021-11-15
roundcube
< 1.4.12,1

https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released
47197b47-6a1a-11ec-8be6-d4c9ef517024Roundcube -- XSS vulnerability

The Roundcube project reports:

Cross-site scripting (XSS) via HTML messages with malicious CSS content


Discovery 2021-12-30
Entry 2021-12-31
roundcube
< 1.5.2,1

https://roundcube.net/news/2021/12/30/update-1.5.2-released
48894ca9-3e6f-11e8-92f0-f0def167eeearoundcube -- IMAP command injection vulnerability

Upstream reports:

This update primarily fixes a recently discovered IMAP-cmd-injection vulnerability caused by insufficient input validation within the archive plugin. Details about the vulnerability are published under CVE-2018-9846.


Discovery 2018-04-11
Entry 2018-04-13
roundcube
le 1.3.5,1

CVE-2018-9846
https://roundcube.net/news/2018/04/11/security-update-1.3.6
4ae68e7c-dda4-11e0-a906-00215c6a37bbroundcube -- XSS vulnerability

RoundCube development Team reports:

We just published a new release which fixes a recently reported XSS vulnerability as an update to the stable 0.5 branch. Please update your installations with this new version or patch them with the fix which is also published in the downloads section or our sourceforge.net page.

and:

During one of pen-tests I found that _mbox parameter is not properly sanitized and reflected XSS attack is possible.


Discovery 2011-08-09
Entry 2011-09-13
roundcube
< 0.5.4,1

CVE-2011-2937
8f483746-d45d-11dd-84ec-001fc66e7203roundcube -- remote execution of arbitrary code

Entry for CVE-2008-5619 says:

html2text.php in RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.


Discovery 2008-12-12
Entry 2008-12-30
roundcube
< 0.2.b2,1

CVE-2008-5619
http://trac.roundcube.net/ticket/1485618
97e86d10-2ea7-11e6-ae88-002590263bf5roundcube -- XSS vulnerability

Roundcube reports:

Fix XSS issue in href attribute on area tag (#5240).


Discovery 2016-05-06
Entry 2016-06-10
roundcube
< 1.1.5_1,1

CVE-2016-5103
ports/209841
https://github.com/roundcube/roundcubemail/issues/5240
http://seclists.org/oss-sec/2016/q2/414
a592e991-a919-11e2-ade0-8c705af55518roundcube -- arbitrary file disclosure vulnerability

RoundCube development team reports:

After getting reports about a possible vulnerability of Roundcube which allows an attacker to modify its users preferences in a way that he/she can then read files from the server, we now published updated packages as well as patches that fix this security issue.


Discovery 2013-03-27
Entry 2013-04-19
roundcube
< 0.8.6,1

CVE-2013-1904
https://secunia.com/advisories/52806/
bce47c89-4d3f-11e7-8080-a4badb2f4699roundcube -- arbitrary password resets

Roundcube reports:

Roundcube Webmail allows arbitrary password resets by authenticated users. The problem is caused by an improperly restricted exec call in the virtualmin and sasl drivers of the password plugin.


Discovery 2017-04-28
Entry 2017-06-09
roundcube
< 1.2.5,1

https://roundcube.net/news/2017/04/28/security-updates-1.2.5-1.1.9-and-1.0.11
CVE-2017-8114
c906e0a4-efa6-11e1-8fbf-001b77d09812roundcube -- cross-site scripting in HTML email messages

RoundCube branch 0.8.x prior to the version 0.8.1 is prone to the cross-scripting attack (XSS) originating from incoming HTML e-mails: due to the lack of proper sanitization of JavaScript code inside the "href" attribute, sender could launch XSS attack when recipient opens the message in RoundCube interface.


Discovery 2012-08-14
Entry 2012-08-27
roundcube
ge 0.8.0,1 lt 0.8.1,1

CVE-2012-3508
http://trac.roundcube.net/wiki/Changelog
http://trac.roundcube.net/ticket/1488613
f622608c-c53c-11e7-a633-009c02a2ab30roundcube -- file disclosure vulnerability

MITRE reports:

Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before 1.3.3 allows unauthorized access to arbitrary files on the host's filesystem, including configuration files, as exploited in the wild in November 2017. The attacker must be able to authenticate at the target system with a valid username/password as the attack requires an active session.


Discovery 2017-11-06
Entry 2017-11-11
Modified 2017-12-31
roundcube
< 1.3.3,1

https://github.com/roundcube/roundcubemail/issues/6026
https://roundcube.net/news/2017/11/08/security-updates-1.3.3-1.2.7-and-1.1.10
CVE-2017-16651
ports/223557