Vulnerability ID 80731

RoundCube up to 1.0.5/1.1.1 rcmail.php _mbox cross site scripting

CVSSv3 Temp ScoreCurrent Exploit Price (≈)
4.1$0-$1k

A vulnerability classified as problematic was found in RoundCube up to 1.0.5/1.1.1. Affected by this vulnerability is an unknown function of the file program/include/rcmail.php. The manipulation of the argument _mbox with an unknown input leads to a cross site scripting vulnerability. As an impact it is known to affect integrity.

The weakness was released 01/29/2016. The advisory is shared for download at roundcube.net. This vulnerability is known as CVE-2015-8793. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details of the vulnerability are known, but there is no available exploit.

Upgrading to version 1.0.6 or 1.1.2 eliminates this vulnerability.

See 80732 for similar entries.

CVSSv3

Base Score: 4.3 [?]
Temp Score: 4.1 [?]
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:X [?]
Reliability: High

CVSSv2

Base Score: 5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N) [?]
Temp Score: 4.4 (CVSS2#E:ND/RL:OF/RC:ND) [?]
Reliability: High

AVACAuCIA
LHMNNN
AMSPPP
NLNCCC
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete

CPE

Exploiting

Class: Cross site scripting (CWE-79)
Local: No
Remote: Yes

Availability: No

Current Price Estimation: $1k-$2k (0-day) / $0-$1k (Today)

0-Day$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k
Today$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k

Countermeasures

Recommended: Upgrade
Status: Official fix
0-Day Time: 0 days since found

Upgrade: RoundCube 1.0.6/1.1.2

Timeline

01/29/2016 Advisory disclosed
01/29/2016 +0 days NVD disclosed
02/01/2016 +3 days VulDB entry created
02/01/2016 +0 days VulDB entry updated

Sources

Advisory: roundcube.net

CVE: CVE-2015-8793 (mitre.org) (nvd.nist.org) (cvedetails.com)
See also: 80732

Entry

Created: 02/01/2016
Entry: 73.2% complete