CVE-2012-3508

Roundcube Webmail 0.8.0 - Cross-Site Scripting via HTML Email Href Attribute

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-3508.

AI-analyzed exploit summary This Python script demonstrates a stored XSS vulnerability in Roundcube Webmail 0.8.0 by sending an email with a malicious payload that triggers when the victim clicks the link. It includes a functional SMTP client to deliver the exploit.

Description

Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email.

Exploits (1)

exploitdb WORKING POC
pythonwebappsphp
https://www.exploit-db.com/exploits/20549

This Python script demonstrates a stored XSS vulnerability in Roundcube Webmail 0.8.0 by sending an email with a malicious payload that triggers when the victim clicks the link. It includes a functional SMTP client to deliver the exploit.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Roundcube Webmail 0.8.0
Auth required
Prerequisites: SMTP server access · valid credentials for sending email
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (7)

Core 7
Core References
Various Sources x_refsource_confirm
http://trac.roundcube.net/ticket/1488613
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/50279
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/08/20/9
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/08/20/2
Various Sources x_refsource_misc
http://www.securelist.com/en/advisories/50279

Scores

EPSS 0.0420
EPSS Percentile 89.6%

Details

CWE
CWE-79
Status published
Products (1)
roundcube/webmail 0.8.0
Published Aug 25, 2012
Tracked Since Feb 18, 2026