USN-5182-1

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/notices/USN-5182-1

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5182-1.json

JSON Data

https://api.osv.dev/v1/vulns/USN-5182-1

Related

Published

2022-08-08T06:30:29.641028Z

Modified

2022-08-08T06:30:29.641028Z

Summary

roundcube vulnerabilities

Details

It was discovered that Roundcube Webmail allowed JavaScript code to be present in the CDATA of an HTML message. A remote attacker could possibly use this issue to execute a cross-site scripting (XSS) attack. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-12625)

It was discovered that Roundcube Webmail incorrectly processed login and logout POST requests. An attacker could possibly use this issue to launch a cross-site request forgery (CSRF) attack and force an authenticated user to be logged out. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-12626)

It was discovered that Roundcube Webmail incorrectly processed new plugin names in rcubepluginapi.php. An attacker could possibly use this issue to obtain sensitive information from local files or to execute arbitrary code. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-12640)

It was discovered that Roundcube Webmail did not sanitize shell metacharacters recovered from variables in its configuration settings. An attacker could possibly use this issue to execute arbitrary code in the server. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-12641)

It was discovered that Roundcube Webmail incorrectly sanitized characters in the username template object. An attacker could possibly use this issue to execute a cross-site scripting (XSS) attack. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-13964)

It was discovered that Roundcube Webmail allowed preview of text/html content. A remote attacker could possibly use this issue to send a malicious XML attachment via an email message and execute a cross-site scripting (XSS) attack. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-13965)

Andrea Cardaci discovered that Roundcube Webmail did not properly sanitize HTML special characters when dealing with HTML messages that contained an SVG element in the XML namespace. A remote attacker could possibly use this issue to execute a cross-site scripting (XSS) attack. This issue only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-15562)

Lukasz Pilorz discovered that Roundcube Webmail did not properly sanitize HTML special characters when dealing with HTML messages that contained SVG documents. A remote attacker could possibly use this issue to execute a cross-site scripting (XSS) attack. This issue only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-16145)

Alex Birnberg discovered that Roundcube Webmail incorrectly sanitized characters in plain text e-mail messages that included link reference elements. A remote attacker could possibly use this issue to execute a cross-site scripting (XSS) attack. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-35730)

It was discovered that Roundcube Webmail did not properly sanitize HTML special characters in warning messages that contained an attachment's filename extension. A remote attacker could possibly use this issue to execute a cross-site scripting (XSS) attack. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2021-44025)

It was discovered that Roundcube Webmail incorrectly managed session variables related to search functionalities. A remote attacker could possibly use this issue to execute a SQL injection attack. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2021-44026)

It was discovered that Roundcube Webmail did not properly sanitize HTML special characters when dealing with HTML messages that contained CSS content. A remote attacker could possibly use this issue to execute a cross-site scripting (XSS) attack. This issue only affected Ubuntu 18.04 ESM, Ubuntu 20.04 ESM and Ubuntu 22.04 ESM. (CVE-2021-46144)

References

Affected packages

Ubuntu:Pro:16.04:LTS / roundcube

Package

Name: roundcube
Purl: pkg:deb/ubuntu/roundcube?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2~beta+dfsg.1-0ubuntu1+esm2

Affected versions

1.*

1.1.1+dfsg.1-2

1.1.2+dfsg.1-5

1.1.3+dfsg.1-1

1.1.4+dfsg.1-1

1.2~beta+dfsg.1-0ubuntu1

1.2~beta+dfsg.1-0ubuntu1+esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "1.2~beta+dfsg.1-0ubuntu1+esm2",
            "binary_name": "roundcube"
        },
        {
            "binary_version": "1.2~beta+dfsg.1-0ubuntu1+esm2",
            "binary_name": "roundcube-core"
        },
        {
            "binary_version": "1.2~beta+dfsg.1-0ubuntu1+esm2",
            "binary_name": "roundcube-mysql"
        },
        {
            "binary_version": "1.2~beta+dfsg.1-0ubuntu1+esm2",
            "binary_name": "roundcube-pgsql"
        },
        {
            "binary_version": "1.2~beta+dfsg.1-0ubuntu1+esm2",
            "binary_name": "roundcube-plugins"
        },
        {
            "binary_version": "1.2~beta+dfsg.1-0ubuntu1+esm2",
            "binary_name": "roundcube-sqlite3"
        }
    ]
}

Ubuntu:Pro:18.04:LTS / roundcube

Package

Name: roundcube
Purl: pkg:deb/ubuntu/roundcube?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.6+dfsg.1-1ubuntu0.1~esm2

Affected versions

1.*

1.3.0+dfsg.1-1

1.3.1+dfsg.1-1

1.3.3+dfsg.1-1

1.3.3+dfsg.1-2

1.3.6+dfsg.1-1

1.3.6+dfsg.1-1ubuntu0.1~esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "1.3.6+dfsg.1-1ubuntu0.1~esm2",
            "binary_name": "roundcube"
        },
        {
            "binary_version": "1.3.6+dfsg.1-1ubuntu0.1~esm2",
            "binary_name": "roundcube-core"
        },
        {
            "binary_version": "1.3.6+dfsg.1-1ubuntu0.1~esm2",
            "binary_name": "roundcube-mysql"
        },
        {
            "binary_version": "1.3.6+dfsg.1-1ubuntu0.1~esm2",
            "binary_name": "roundcube-pgsql"
        },
        {
            "binary_version": "1.3.6+dfsg.1-1ubuntu0.1~esm2",
            "binary_name": "roundcube-plugins"
        },
        {
            "binary_version": "1.3.6+dfsg.1-1ubuntu0.1~esm2",
            "binary_name": "roundcube-sqlite3"
        }
    ]
}

Ubuntu:Pro:20.04:LTS / roundcube

Package

Name: roundcube
Purl: pkg:deb/ubuntu/roundcube?arch=src?distro=esm-apps/focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.3+dfsg.1-1ubuntu0.1~esm2

Affected versions

1.*

1.3.8+dfsg.1-2

1.3.10+dfsg.1-1

1.4.1+dfsg.1-2

1.4.2+dfsg.1-1

1.4.2+dfsg.1-2

1.4.3+dfsg.1-1

1.4.3+dfsg.1-1ubuntu0.1~esm1

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "1.4.3+dfsg.1-1ubuntu0.1~esm2",
            "binary_name": "roundcube"
        },
        {
            "binary_version": "1.4.3+dfsg.1-1ubuntu0.1~esm2",
            "binary_name": "roundcube-core"
        },
        {
            "binary_version": "1.4.3+dfsg.1-1ubuntu0.1~esm2",
            "binary_name": "roundcube-mysql"
        },
        {
            "binary_version": "1.4.3+dfsg.1-1ubuntu0.1~esm2",
            "binary_name": "roundcube-pgsql"
        },
        {
            "binary_version": "1.4.3+dfsg.1-1ubuntu0.1~esm2",
            "binary_name": "roundcube-plugins"
        },
        {
            "binary_version": "1.4.3+dfsg.1-1ubuntu0.1~esm2",
            "binary_name": "roundcube-sqlite3"
        }
    ]
}

Ubuntu:Pro:22.04:LTS / roundcube

Package

Name: roundcube
Purl: pkg:deb/ubuntu/roundcube?arch=src?distro=esm-apps/jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.0+dfsg.1-2ubuntu0.1~esm1

Affected versions

1.*

1.4.11+dfsg.1-4

1.5.0+dfsg.1-2

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "1.5.0+dfsg.1-2ubuntu0.1~esm1",
            "binary_name": "roundcube"
        },
        {
            "binary_version": "1.5.0+dfsg.1-2ubuntu0.1~esm1",
            "binary_name": "roundcube-core"
        },
        {
            "binary_version": "1.5.0+dfsg.1-2ubuntu0.1~esm1",
            "binary_name": "roundcube-mysql"
        },
        {
            "binary_version": "1.5.0+dfsg.1-2ubuntu0.1~esm1",
            "binary_name": "roundcube-pgsql"
        },
        {
            "binary_version": "1.5.0+dfsg.1-2ubuntu0.1~esm1",
            "binary_name": "roundcube-plugins"
        },
        {
            "binary_version": "1.5.0+dfsg.1-2ubuntu0.1~esm1",
            "binary_name": "roundcube-sqlite3"
        }
    ]
}