NVD Vulnerability Detail

CVE-2020-12625

Summary	An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.
Publication Date	May 4, 2020, 11:15 a.m.
Registration Date	Jan. 26, 2021, 11:51 a.m.
Last Update	Nov. 21, 2024, 1:59 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:roundcube:webmail::::::::					1.4.4

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:opensuse:leap:15.1:::::::*
cpe:2.3:a:opensuse:backports_sle:15.0:sp1::::::
cpe:2.3:o:opensuse:leap:15.2:::::::*
cpe:2.3:a:opensuse:backports_sle:15.0:sp2::::::

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html	Third Party Advisory
2	https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12625-Cross%20Site-Scripting%20via%20Malicious%20HTML%20Attachment-Roundcube	Exploit Third Party Advisory
3	https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b94e5c75d2b7686d0	Patch Third Party Advisory
4	https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4	Patch Third Party Advisory
5	https://github.com/roundcube/roundcubemail/releases/tag/1.4.4	Third Party Advisory
6	https://security.gentoo.org/glsa/202007-41	Third Party Advisory
7	https://www.debian.org/security/2020/dsa-4674	Third Party Advisory
8	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html	Third Party Advisory
9	https://www.debian.org/security/2020/dsa-4674	Third Party Advisory
10	https://security.gentoo.org/glsa/202007-41	Third Party Advisory
11	https://github.com/roundcube/roundcubemail/releases/tag/1.4.4	Third Party Advisory
12	https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4	Patch Third Party Advisory
13	https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b94e5c75d2b7686d0	Patch Third Party Advisory
14	https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-12625-Cross%20Site-Scripting%20via%20Malicious%20HTML%20Attachment-Roundcube	Exploit Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

Roundcube Webmail におけるクロスサイトスクリプティングの脆弱性

Title	Roundcube Webmail におけるクロスサイトスクリプティングの脆弱性
Summary	Roundcube Webmail には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 30, 2020, midnight
Registration Date	May 28, 2020, 12:06 p.m.
Last Update	May 28, 2020, 12:06 p.m.

Affected System

Debian

Debian GNU/Linux

Roundcube.net

Webmail 1.4.4 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-12625	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12625
National Vulnerability Database (NVD)
2	CVE-2020-12625	https://nvd.nist.gov/vuln/detail/CVE-2020-12625

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-4674	https://www.debian.org/security/2020/dsa-4674
GitHub
2	Comparing changes	https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4
3	Fix XSS issue in handling of CDATA in HTML messages	https://github.com/roundcube/roundcubemail/commit/87e4cd0cf2c550e77586860b94e5c75d2b7686d0
4	Roundcube Webmail 1.4.4	https://github.com/roundcube/roundcubemail/releases/tag/1.4.4

Change Log

No	Changed Details	Date of change
1	[2020年05月28日] 掲載	May 28, 2020, 12:06 p.m.