Vulnerability CVE-2020-18670

Vulnerability Name:

CVE-2020-18670 (CCN-204400)

Assigned:

2020-05-29

Published:

2020-05-29

Updated:

2022-03-10

Summary:

Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.

CVSS v3 Severity:

5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

7.2 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
6.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-79

Vulnerability Consequences:

Cross-Site Scripting

References:

Source: MITRE
Type: CNA
CVE-2020-18670

Source: XF
Type: UNKNOWN
roundcube-cve202018670-xss(204400)

Source: CCN
Type: Roundcube mail GIT Repository
security issue #7406

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/roundcube/roundcubemail/issues/7406

Source: MISC
Type: Exploit, Third Party Advisory
https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#Store-Xss-in-installer-test-php

Source: MISC
Type: Patch, Vendor Advisory
https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-18670

Vulnerable Configuration:

Configuration 1:

cpe:/a:roundcube:webmail:1.4.4:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:roundcube:webmail:0.9.4:*:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:0.8.6:*:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:1.0.0:*:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:1.2:rc:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:1.1.7:*:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:1.2.3:*:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:1.2.4:*:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:1.1.8:*:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:1.0.10:*:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:1.0.11:*:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:1.1.9:*:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:1.2.6:*:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:1.3.2:*:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:1.3.9:*:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:1.4.3:*:*:*:*:*:*:*

OR cpe:/a:roundcube:webmail:1.3.11:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:100369	P	(Important)	2021-12-22
oval:org.opensuse.security:def:96405	P	Security update for roundcubemail (Important)	2021-07-09
oval:org.opensuse.security:def:109752	P	Security update for roundcubemail (Important)	2021-07-09
oval:org.opensuse.security:def:11095	P	Security update for roundcubemail (Important)	2021-07-09
oval:org.opensuse.security:def:103095	P	Security update for roundcubemail (Important)	2021-07-09
oval:org.opensuse.security:def:96498	P	Security update for roundcubemail (Important)	2021-07-06
oval:org.opensuse.security:def:109845	P	Security update for roundcubemail (Important)	2021-07-06
oval:org.opensuse.security:def:103188	P	Security update for roundcubemail (Important)	2021-07-06
oval:org.opensuse.security:def:11236	P	Security update for roundcubemail (Important)	2021-07-06
oval:org.opensuse.security:def:96497	P	Security update for roundcubemail (Important)	2021-07-02
oval:org.opensuse.security:def:109844	P	Security update for roundcubemail (Important)	2021-07-02
oval:org.opensuse.security:def:103187	P	Security update for roundcubemail (Important)	2021-07-02
oval:org.opensuse.security:def:11235	P	Security update for roundcubemail (Important)	2021-07-02
oval:org.opensuse.security:def:11233	P	Security update for roundcubemail (Important)	2021-06-29
oval:org.opensuse.security:def:103186	P	Security update for roundcubemail (Important)	2021-06-29
oval:org.opensuse.security:def:93656	P	Security update for roundcubemail (Important)	2021-06-29
oval:org.opensuse.security:def:11234	P	Security update for roundcubemail (Important)	2021-06-29
oval:org.opensuse.security:def:107035	P	Security update for roundcubemail (Important)	2021-06-29
oval:org.opensuse.security:def:96496	P	Security update for roundcubemail (Important)	2021-06-29
oval:org.opensuse.security:def:109843	P	Security update for roundcubemail (Important)	2021-06-29
oval:org.opensuse.security:def:111467	P	Security update for roundcubemail (Important)	2021-06-27

BACK