CVE-2011-2937

Roundcube Webmail < 0.5.3 - XSS

Title source: rule

Description

Cross-site scripting (XSS) vulnerability in the UI messages functionality in Roundcube Webmail before 0.5.4 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.

References (10)

[Mailing List] http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html

[Product] http://sourceforge.net/news/?group_id=139281&id=302769

[Various Sources] http://trac.roundcube.net/browser/tags/roundcubemail/v0.5.4/CHANGELOG

[Patch] http://trac.roundcube.net/changeset/5037

[Exploit, Patch] http://trac.roundcube.net/ticket/1488030

[Exploit, Patch] https://bugzilla.redhat.com/show_bug.cgi?id=731786

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/49229

[Mailing List] http://www.openwall.com/lists/oss-security/2011/08/18/5

[Mailing List] http://www.openwall.com/lists/oss-security/2011/08/19/15

[Vendor Advisory] http://support.apple.com/kb/HT5130

Scores

EPSS 0.0055

EPSS Percentile 67.6%

Classification

CWE

CWE-79

Status published

Affected Products (26)

roundcube/webmail < 0.5.3

roundcube/webmail

... and 11 more

Timeline

Published Sep 21, 2011

Tracked Since Feb 18, 2026