NVD Vulnerability Detail

CVE-2020-12626

Summary	An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.
Publication Date	May 4, 2020, 11:15 a.m.
Registration Date	Jan. 26, 2021, 11:51 a.m.
Last Update	Nov. 21, 2024, 1:59 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:roundcube:webmail::::::::					1.4.4

Related information, measures and tools

No	URL	タグ
1	https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6	Patch Third Party Advisory
2	https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4	Patch Third Party Advisory
3	https://github.com/roundcube/roundcubemail/pull/7302	Exploit Issue Tracking Patch Third Party Advisory
4	https://github.com/roundcube/roundcubemail/releases/tag/1.4.4	Third Party Advisory
5	https://security.gentoo.org/glsa/202007-41	Third Party Advisory
6	https://www.debian.org/security/2020/dsa-4674	Third Party Advisory
7	https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6	Patch Third Party Advisory
8	https://www.debian.org/security/2020/dsa-4674	Third Party Advisory
9	https://security.gentoo.org/glsa/202007-41	Third Party Advisory
10	https://github.com/roundcube/roundcubemail/releases/tag/1.4.4	Third Party Advisory
11	https://github.com/roundcube/roundcubemail/pull/7302	Exploit Issue Tracking Patch Third Party Advisory
12	https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4	Patch Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-352	クロスサイト・リクエスト・フォージェリ（CSRF）	https://cwe.mitre.org/data/definitions/352.html
2	CWE-352	同一生成元ポリシー違反	https://cwe.mitre.org/data/definitions/346.html

JVN Vulnerability Information

Roundcube Webmail におけるクロスサイトリクエストフォージェリの脆弱性

Title	Roundcube Webmail におけるクロスサイトリクエストフォージェリの脆弱性
Summary	Roundcube Webmail には、クロスサイトリクエストフォージェリの脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 30, 2020, midnight
Registration Date	May 28, 2020, 12:06 p.m.
Last Update	May 28, 2020, 12:06 p.m.

Affected System

Debian

Debian GNU/Linux

Roundcube.net

Webmail 1.4.4 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-12626	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12626
National Vulnerability Database (NVD)
2	CVE-2020-12626	https://nvd.nist.gov/vuln/detail/CVE-2020-12626

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-352	https://jvndb.jvn.jp/ja/cwe/CWE-352.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-4674	https://www.debian.org/security/2020/dsa-4674
GitHub
2	Comparing changes	https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4
3	Fix CSRF attack that can cause an authenticated user to be logged out #7302	https://github.com/roundcube/roundcubemail/pull/7302
4	Fix CSRF bypass that could be used to log out an authenticated user (#7302)	https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6
5	Roundcube Webmail 1.4.4	https://github.com/roundcube/roundcubemail/releases/tag/1.4.4

Change Log

No	Changed Details	Date of change
1	[2020年05月28日] 掲載	May 28, 2020, 12:06 p.m.