CVE-2020-12626 : An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cau

An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.

Published 2020-05-04 02:15:12

Updated 2022-09-02 15:42:14

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2020-12626

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Roundcube » Webmail
Versions before (<) 1.4.4
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-12626

EPSS FAQ

1.74%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 82 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-12626

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2020-12626

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-12626

https://github.com/roundcube/roundcubemail/compare/1.4.3...1.4.4

Comparing 1.4.3...1.4.4 · roundcube/roundcubemail · GitHub
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/roundcube/roundcubemail/releases/tag/1.4.4

Release Roundcube Webmail 1.4.4 · roundcube/roundcubemail · GitHub
Third Party Advisory

CVEs referencing this url
https://github.com/roundcube/roundcubemail/pull/7302

Fix CSRF attack that can cause an authenticated user to be logged out by xudongzheng · Pull Request #7302 · roundcube/roundcubemail · GitHub
Exploit;Issue Tracking;Patch;Third Party Advisory
https://security.gentoo.org/glsa/202007-41

Roundcube: Multiple vulnerabilities (GLSA 202007-41) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2020/dsa-4674

Debian -- Security Information -- DSA-4674-1 roundcube
Third Party Advisory

CVEs referencing this url
https://github.com/roundcube/roundcubemail/commit/9bbda422ff0b782b81de59c86994f1a5fd93f8e6

Fix CSRF bypass that could be used to log out an authenticated user (… · roundcube/roundcubemail@9bbda42 · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-12626

Products affected by CVE-2020-12626

Exploit prediction scoring system (EPSS) score for CVE-2020-12626

CVSS scores for CVE-2020-12626

CWE ids for CVE-2020-12626

References for CVE-2020-12626