CVE-2015-5381

MEDIUM

Roundcube Webmail 1.1.x - Cross-Site Scripting via _mbox Parameter

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.

References (5)

Core 5

Core References

Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2015/07/07/2

Issue Tracking, Patch, Third Party Advisory x_refsource_confirm

http://trac.roundcube.net/ticket/1490417

Issue Tracking, Patch, Third Party Advisory x_refsource_confirm

https://github.com/roundcube/roundcubemail/issues/4837

Patch, Vendor Advisory x_refsource_confirm

https://roundcube.net/news/2015/06/05/updates-1.1.2-and-1.0.6-released

Issue Tracking, Patch, Third Party Advisory x_refsource_confirm

https://github.com/roundcube/roundcubemail/commit/b782815dacda55eee6793249b5da1789256206fc

View Patch ZIP pw:eip

Scores

CVSS v3 6.1

EPSS 0.0250

EPSS Percentile 82.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

roundcube/roundcube_webmail 1.1.1

roundcube/webmail 1.1 (3 CPE variants)

Published May 23, 2017

Tracked Since Feb 18, 2026