CVE-2020-13965
Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
6.1
MEDIUM
CVSS 3.1
⚠ KEVEPSS 71.8%
Description
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
How to fix CVE-2020-13965
To remediate CVE-2020-13965, upgrade the affected package to a fixed version below.
- —upgrade to 1.3.12 or later
- —upgrade to 1.4.5+dfsg.1-1 or later
Is CVE-2020-13965 being exploited?
Yes — CVE-2020-13965 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.
Affected packages (2)
- from 0, < 1.3.12, >= 1.4.0, < 1.4.5
- from 0, < 1.4.5+dfsg.1-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |