CVE-2017-6820 - OpenCVE

rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Roundcube	Webmail

Configuration 1 [-]

OR	cpe:2.3:a:roundcube:webmail::::::::
	cpe:2.3:a:roundcube:webmail:1.2.0:::::::*
	cpe:2.3:a:roundcube:webmail:1.2.1:::::::*
	cpe:2.3:a:roundcube:webmail:1.2.2:::::::*
	cpe:2.3:a:roundcube:webmail:1.2.3:::::::*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/96817
https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4
https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305
https://github.com/roundcube/roundcubemail/releases/tag/1.1.8
https://github.com/roundcube/roundcubemail/releases/tag/1.2.4
https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124
https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-03-12T04:57:00

Updated: 2024-08-05T15:41:17.592Z

Reserved: 2017-03-11T00:00:00

Link: CVE-2017-6820

Vulnrichment

No data.

NVD

Status : Modified

Published: 2017-03-12T05:59:00.277

Modified: 2018-10-30T16:27:29.530

Link: CVE-2017-6820

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-03-11T00:00:00", "descriptions": [{"lang": "en", "value": "rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-03-14T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.8"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.2.4"}, {"name": "96817", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/96817"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-6820", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124", "refsource": "CONFIRM", "url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124"}, {"name": "https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released", "refsource": "CONFIRM", "url": "https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released"}, {"name": "https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4", "refsource": "CONFIRM", "url": "https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4"}, {"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.8", "refsource": "CONFIRM", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.8"}, {"name": "https://github.com/roundcube/roundcubemail/releases/tag/1.2.4", "refsource": "CONFIRM", "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.2.4"}, {"name": "96817", "refsource": "BID", "url": "http://www.securityfocus.com/bid/96817"}, {"name": "https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305", "refsource": "CONFIRM", "url": "https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T15:41:17.592Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.8"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.2.4"}, {"name": "96817", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/96817"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-6820", "datePublished": "2017-03-12T04:57:00", "dateReserved": "2017-03-11T00:00:00", "dateUpdated": "2024-08-05T15:41:17.592Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*", "matchCriteriaId": "47063171-0D2F-4987-91BA-051FFD0D7B3F", "versionEndIncluding": "1.1.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:roundcube:webmail:1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "6556D4DF-FFF9-4EE0-91EA-84314D7CF071", "vulnerable": true}, {"criteria": "cpe:2.3:a:roundcube:webmail:1.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "98A43C92-1266-47DB-B3D9-A12CFE271EEA", "vulnerable": true}, {"criteria": "cpe:2.3:a:roundcube:webmail:1.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "BEFDA8E6-5BD6-4A20-8B67-C9597B67DABA", "vulnerable": true}, {"criteria": "cpe:2.3:a:roundcube:webmail:1.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "7DB074D9-E258-471F-9FF7-CABE43E763DC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element."}, {"lang": "es", "value": "rcube_utils.php en Roundcube en versiones anteriores a 1.1.8 y 1.2.x en versiones anteriores a 1.2.4 es susceptible a una vulnerabilidad de XSS a trav\u00e9s una secuencia de tokens de CSS manipulada dentro de un elemento SVG."}], "id": "CVE-2017-6820", "lastModified": "2018-10-30T16:27:29.530", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-03-12T05:59:00.277", "references": [{"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/96817"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305"}, {"source": "cve@mitre.org", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.1.8"}, {"source": "cve@mitre.org", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/roundcube/roundcubemail/releases/tag/1.2.4"}, {"source": "cve@mitre.org", "tags": ["Patch", "Release Notes", "Third Party Advisory"], "url": "https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://roundcube.net/news/2017/03/10/updates-1.2.4-and-1.1.8-released"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}