Vulnerability Name:

CVE-2013-5645 (CCN-86632)

Assigned:2013-08-23
Published:2013-08-23
Updated:2013-09-12
Summary:Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject arbitrary web script or HTML via the body of a message visited in (1) new or (2) draft mode, related to compose.inc; and (3) might allow remote authenticated users to inject arbitrary web script or HTML via an HTML signature, related to save_identity.inc.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2013-5645

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2013:1420

Source: CCN
Type: Roundcube Webmail Web site
Roundcube - open source webmail software

Source: CCN
Type: SA54536
RoundCube Webmail Edit Email Script Insertion Vulnerability

Source: CONFIRM
Type: Exploit, Patch
http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github

Source: CONFIRM
Type: Exploit, Patch
http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github

Source: CONFIRM
Type: UNKNOWN
http://trac.roundcube.net/ticket/1489251

Source: CONFIRM
Type: UNKNOWN
http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3

Source: CCN
Type: BID-61976
RoundCube Webmail Multiple HTML-injection Vulnerabilities

Source: CCN
Type: Red Hat Bugzilla Bug 1000510
roundcubemail: two XSS flaws fixed in 0.9.3

Source: XF
Type: UNKNOWN
roundcubewebmail-multiple-xss(86632)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:roundcube:webmail:0.1:-:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.1:20050811:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.1:20050820:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.1:20051007:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.1:20051021:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.1:alpha:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.1:beta:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.1:beta2:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.1:rc1:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.1:rc2:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.1:stable:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.2:-:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.2:alpha:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.2:beta:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.2:stable:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.3:-:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.3:beta:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.3:rc1:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.3:stable:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.4:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.4:beta:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.5:-:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.5:beta:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.5:rc:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.5.4:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.6:-:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.7:-:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.7.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.7.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.8.0:-:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.8.2:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.8.3:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.8.4:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.8.5:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.8.6:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.9:beta:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.9:rc:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.9:rc2:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.9.0:-:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:0.9.1:*:*:*:*:*:*:*
  • OR cpe:/a:roundcube:webmail:*:*:*:*:*:*:*:* (Version <= 0.9.2)

    • Configuration CCN 1:
  • cpe:/a:roundcube:webmail:0.9.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20135645
    V
    		CVE-2013-5645
    2022-06-30
    oval:org.opensuse.security:def:113340
    P
    		roundcubemail-1.2.3-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106747
    P
    		Security update for aaa_base (Moderate)
    2021-12-03
    oval:com.ubuntu.precise:def:20135645000
    V
    		CVE-2013-5645 on Ubuntu 12.04 LTS (precise) - medium.
    2013-08-29
    oval:com.ubuntu.xenial:def:201356450000000
    V
    		CVE-2013-5645 on Ubuntu 16.04 LTS (xenial) - medium.
    2013-08-29
    oval:com.ubuntu.trusty:def:20135645000
    V
    		CVE-2013-5645 on Ubuntu 14.04 LTS (trusty) - medium.
    2013-08-29
    oval:com.ubuntu.xenial:def:20135645000
    V
    		CVE-2013-5645 on Ubuntu 16.04 LTS (xenial) - medium.
    2013-08-29
    BACK
    roundcube webmail 0.1
    roundcube webmail 0.1 20050811
    roundcube webmail 0.1 20050820
    roundcube webmail 0.1 20051007
    roundcube webmail 0.1 20051021
    roundcube webmail 0.1 alpha
    roundcube webmail 0.1 beta
    roundcube webmail 0.1 beta2
    roundcube webmail 0.1 rc1
    roundcube webmail 0.1 rc2
    roundcube webmail 0.1 stable
    roundcube webmail 0.1.1
    roundcube webmail 0.2
    roundcube webmail 0.2 alpha
    roundcube webmail 0.2 beta
    roundcube webmail 0.2 stable
    roundcube webmail 0.2.1
    roundcube webmail 0.2.2
    roundcube webmail 0.3
    roundcube webmail 0.3 beta
    roundcube webmail 0.3 rc1
    roundcube webmail 0.3 stable
    roundcube webmail 0.3.1
    roundcube webmail 0.4
    roundcube webmail 0.4 beta
    roundcube webmail 0.4.1
    roundcube webmail 0.4.2
    roundcube webmail 0.5
    roundcube webmail 0.5 beta
    roundcube webmail 0.5 rc
    roundcube webmail 0.5.1
    roundcube webmail 0.5.2
    roundcube webmail 0.5.3
    roundcube webmail 0.5.4
    roundcube webmail 0.6
    roundcube webmail 0.7
    roundcube webmail 0.7.1
    roundcube webmail 0.7.2
    roundcube webmail 0.7.3
    roundcube webmail 0.8.0
    roundcube webmail 0.8.1
    roundcube webmail 0.8.2
    roundcube webmail 0.8.3
    roundcube webmail 0.8.4
    roundcube webmail 0.8.5
    roundcube webmail 0.8.6
    roundcube webmail 0.9 beta
    roundcube webmail 0.9 rc
    roundcube webmail 0.9 rc2
    roundcube webmail 0.9.0
    roundcube webmail 0.9.1
    roundcube webmail *
    roundcube webmail 0.9.2