CVE-2020-12625

MEDIUM

Roundcube Webmail < 1.4.4 - Stored Cross-Site Scripting via HTML Message CDATA

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-12625. PoCs published by mbadanoiu.

AI-analyzed exploit summary This repository provides a writeup and proof-of-concept details for CVE-2020-12625, an XSS vulnerability in Roundcube Webmail. The vulnerability allows arbitrary JavaScript execution via a malicious HTML attachment leveraging the CDATA XML element.

Description

An issue was discovered in Roundcube Webmail before 1.4.4. There is a cross-site scripting (XSS) vulnerability in rcube_washtml.php because JavaScript code can occur in the CDATA of an HTML message.

Exploits (1)

nomisec WRITEUP

by mbadanoiu · poc

https://github.com/mbadanoiu/CVE-2020-12625

View Code ZIP pw:eip

This repository provides a writeup and proof-of-concept details for CVE-2020-12625, an XSS vulnerability in Roundcube Webmail. The vulnerability allows arbitrary JavaScript execution via a malicious HTML attachment leveraging the CDATA XML element.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Roundcube Webmail versions before 1.4.4, 1.3.11, and 1.2.10

No auth needed

Prerequisites: Victim must open the malicious email in Roundcube Webmail

MITRE ATT&CK