Vulnerability Details : CVE-2013-5645
Potential exploit
Multiple cross-site scripting (XSS) vulnerabilities in Roundcube webmail before 0.9.3 allow user-assisted remote attackers to inject arbitrary web script or HTML via the body of a message visited in (1) new or (2) draft mode, related to compose.inc; and (3) might allow remote authenticated users to inject arbitrary web script or HTML via an HTML signature, related to save_identity.inc.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2013-5645
- cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.1:beta:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.1:beta2:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.1:20050811:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.1:stable:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.1:20051021:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.1:alpha:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.1:20050820:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.1:20051007:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.2:alpha:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.2:stable:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.2:beta:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.3:beta:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.3:stable:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.4:beta:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.5:beta:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.5:rc:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.7:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.9:rc:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.9:rc2:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.8.6:*:*:*:*:*:*:*
- cpe:2.3:a:roundcube:webmail:0.9:beta:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-5645
0.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-5645
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2013-5645
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-5645
-
http://trac.roundcube.net/changeset/ce5a6496fd6039962ba7424d153278e41ae8761b/github
404 Not FoundExploit;Patch
-
http://trac.roundcube.net/changeset/93b0a30c1c8aa29d862b587b31e52bcc344b8d16/github
404 Not FoundExploit;Patch
-
http://trac.roundcube.net/wiki/Changelog#RELEASE0.9.3
Changelog · roundcube/roundcubemail Wiki · GitHub
-
http://trac.roundcube.net/ticket/1489251
XSS Vulnerability on Identity configuration (and on "edit as new" function) · Issue #4283 · roundcube/roundcubemail · GitHub
-
http://lists.opensuse.org/opensuse-updates/2013-09/msg00018.html
openSUSE-SU-2013:1420-1: moderate: roundcubemail: version update to 0.9.
Jump to