roundcubemail-1.2.3-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10491 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z roundcubemail-1.2.3-1.1 on GA media These are all security issues fixed in the roundcubemail-1.2.3-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10491 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10491 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2012-3507/ SUSE CVE CVE-2012-3507 page https://www.suse.com/security/cve/CVE-2012-3508/ SUSE CVE CVE-2012-3508 page https://www.suse.com/security/cve/CVE-2013-5645/ SUSE CVE CVE-2013-5645 page https://www.suse.com/security/cve/CVE-2013-6172/ SUSE CVE CVE-2013-6172 page https://www.suse.com/security/cve/CVE-2015-2181/ SUSE CVE CVE-2015-2181 page https://www.suse.com/security/cve/CVE-2015-8770/ SUSE CVE CVE-2015-8770 page https://www.suse.com/security/cve/CVE-2016-5103/ SUSE CVE CVE-2016-5103 page openSUSE Tumbleweed roundcubemail-1.2.3-1.1 roundcubemail-1.2.3-1.1 as a component of openSUSE Tumbleweed Cross-site scripting (XSS) vulnerability in program/steps/mail/func.inc in RoundCube Webmail before 0.8.0, when using the Larry skin, allows remote attackers to inject arbitrary web script or HTML via the email message subject. CVE-2012-3507 openSUSE Tumbleweed:roundcubemail-1.2.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-3507.html CVE-2012-3507 https://bugzilla.suse.com/777446 SUSE Bug 777446 Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email. CVE-2012-3508 openSUSE Tumbleweed:roundcubemail-1.2.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-3508.html CVE-2012-3508 https://bugzilla.suse.com/777446 SUSE Bug 777446 Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject arbitrary web script or HTML via the body of a message visited in (1) new or (2) draft mode, related to compose.inc; and (3) might allow remote authenticated users to inject arbitrary web script or HTML via an HTML signature, related to save_identity.inc. CVE-2013-5645 openSUSE Tumbleweed:roundcubemail-1.2.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-5645.html CVE-2013-5645 https://bugzilla.suse.com/837436 SUSE Bug 837436 steps/utils/save_pref.inc in Roundcube webmail before 0.8.7 and 0.9.x before 0.9.5 allows remote attackers to modify configuration settings via the _session parameter, which can be leveraged to read arbitrary files, conduct SQL injection attacks, and execute arbitrary code. CVE-2013-6172 openSUSE Tumbleweed:roundcubemail-1.2.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-6172.html CVE-2013-6172 https://bugzilla.suse.com/847179 SUSE Bug 847179 Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers to have unspecified impact via the (1) password or (2) username. CVE-2015-2181 openSUSE Tumbleweed:roundcubemail-1.2.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-2181.html CVE-2015-2181 https://bugzilla.suse.com/976988 SUSE Bug 976988 Directory traversal vulnerability in the set_skin function in program/include/rcmail_output_html.php in Roundcube before 1.0.8 and 1.1.x before 1.1.4 allows remote authenticated users with certain permissions to read arbitrary files or possibly execute arbitrary code via a .. (dot dot) in the _skin parameter to index.php. CVE-2015-8770 openSUSE Tumbleweed:roundcubemail-1.2.3-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8770.html CVE-2015-8770 https://bugzilla.suse.com/962067 SUSE Bug 962067 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-4552. Reason: This candidate is a reservation duplicate of CVE-2016-4552. Notes: All CVE users should reference CVE-2016-4552 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2016-5103 openSUSE Tumbleweed:roundcubemail-1.2.3-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-5103.html CVE-2016-5103 https://bugzilla.suse.com/1016744 SUSE Bug 1016744 https://bugzilla.suse.com/982003 SUSE Bug 982003 https://bugzilla.suse.com/982703 SUSE Bug 982703