← back
CVE-2020-13965

CVE-2020-13965

CVSS 6.3 MEDIUMEPSS 76.6%● KEVCWE-80
In short

Roundcube Webmail allowed attackers to inject malicious scripts through XML file previews. An attacker could send a specially crafted XML attachment that executes code in a victim's browser when previewed.

Technical detail

XSS vulnerability in Roundcube Webmail versions before 1.3.12 and 1.4.5 exists in the attachment preview functionality, where text/xml MIME type was permitted for preview rendering without proper sanitization. Attack vector is email-based; attacker crafts malicious XML with embedded scripts and sends as attachment; victim previews attachment in Roundcube, triggering script execution in their session context.

Summary generated and translated by AI from the official description.
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Affected products
n/a · n/a
public PoCs found1
githubgithub.com/mbadanoiu/CVE-2020-139650
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2020-13965-Cross%20Site-Scripting%20via%20Malicious%20XML%20Attachment-Roundcubehttps://github.com/roundcube/roundcubemail/commit/884eb611627ef2bd5a2e20e02009ebb1eceecdc3https://github.com/roundcube/roundcubemail/compare/1.4.4...1.4.5https://github.com/roundcube/roundcubemail/releases/tag/1.3.12https://github.com/roundcube/roundcubemail/releases/tag/1.4.5https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLESQ4LPJGMSWHQ4TBRTVQRDG7IXAZCW/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODPJXBHZ32QSP4MYT2OBCALYXSUJ47SK/https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-13965https://www.debian.org/security/2020/dsa-4700