CVE-2020-35730

MEDIUM KEV

Roundcube Webmail < 1.2.13 - XSS

Title source: rule

Description

An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. The attacker can send a plain text e-mail message, with JavaScript in a link reference element that is mishandled by linkref_addindex in rcube_string_replacer.php.

Exploits (1)

nomisec WORKING POC

by skyllpro · client-side

https://github.com/skyllpro/CVE-2021-44026-PoC

View Code ZIP pw:eip

References (10)

[Issue Tracking, Mailing List] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978491

[Patch] https://github.com/roundcube/roundcubemail/compare/1.4.9...1.4.10

[Release Notes] https://github.com/roundcube/roundcubemail/releases/tag/1.2.13

[Release Notes] https://github.com/roundcube/roundcubemail/releases/tag/1.3.16

[Release Notes] https://github.com/roundcube/roundcubemail/releases/tag/1.4.10

[Mailing List, Release Notes] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCEU4BM5WGIDJWP6Z4PCH62ZMH57QYM2/

[Mailing List, Release Notes] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HMLIZWKMTRCLU7KZLEQHELS4INXJ7X5Q/

[Product] https://roundcube.net/download/

[Broken Link] https://www.alexbirnberg.com/roundcube-xss.html

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-35730

Scores

CVSS v3 6.1

EPSS 0.6481

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CISA KEV 2023-06-22

VulnCheck KEV 2023-06-20

InTheWild.io 2023-06-22

ENISA EUVD EUVD-2020-23386

CWE

CWE-79

Status published

Products (4)

debian/debian_linux 9.0

fedoraproject/fedora 32

fedoraproject/fedora 33

roundcube/webmail < 1.2.13

Published Dec 28, 2020

KEV Added Jun 22, 2023

Tracked Since Feb 18, 2026