RoundCube up to 1.0.5/1.1.1 rcmail.php _mbox cross site scripting
|CVSSv3 Temp Score||Current Exploit Price (≈)|
A vulnerability classified as problematic was found in RoundCube up to 1.0.5/1.1.1. Affected by this vulnerability is an unknown function of the file program/include/rcmail.php. The manipulation of the argument
_mbox with an unknown input leads to a cross site scripting vulnerability. As an impact it is known to affect integrity.
The weakness was released 01/29/2016. The advisory is shared for download at roundcube.net. This vulnerability is known as CVE-2015-8793. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details of the vulnerability are known, but there is no available exploit.
Upgrading to version 1.0.6 or 1.1.2 eliminates this vulnerability.
See 80732 for similar entries.
CVSSv3Base Score: 4.3 [?]
Temp Score: 4.1 [?]
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:X [?]
CVSSv2Base Score: 5.0 (CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N) [?]
Temp Score: 4.4 (CVSS2#E:ND/RL:OF/RC:ND) [?]
ExploitingClass: Cross site scripting (CWE-79)
Current Price Estimation: $1k-$2k (0-day) / $0-$1k (Today)
Status: Official fix
0-Day Time: 0 days since found
Upgrade: RoundCube 1.0.6/1.1.2
Timeline01/29/2016 Advisory disclosed
01/29/2016 +0 days NVD disclosed
02/01/2016 +3 days VulDB entry created
02/01/2016 +0 days VulDB entry updated
CVE: CVE-2015-8793 (mitre.org) (nvd.nist.org) (cvedetails.com)
See also: 80732
Entry: 73.2% complete