CVE-2020-18671

Description

Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.

How to fix CVE-2020-18671

To remediate CVE-2020-18671, upgrade the affected package to a fixed version below.

• Bitnami/roundcube—upgrade to 1.4.4 or later
• Debian/roundcube—upgrade to 1.4.5+dfsg.1-1 or later

Is CVE-2020-18671 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 1.4.4
• from 0, < 1.4.5+dfsg.1-1

CVSS scores

References (4)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-18671
• WEBgithub.com/roundcube/roundcubemail/issues/7406
• WEBlorexxar.cn/2020/06/10/roundcube-mail-xss/#store-xss-in-smtp-config
• WEBroundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12