CVE-2020-15562

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions 1.2.10 and earlier, 1.3.x before 1.3.14, and 1.4.x before 1.4.7

Description The issue allows for cross-site scripting (XSS) via a crafted HTML e-mail message. This can be demonstrated by a JavaScript payload in the xmlns attribute of a HEAD element when an SVG element exists. The vulnerability is related to insufficient protection measures for web page structures, which can be exploited by a remote attacker to impact data integrity.

Recommendations For versions 1.2.10 and earlier, update to version 1.2.11 or later. For versions 1.3.x before 1.3.14, update to version 1.3.14 or later. For versions 1.4.x before 1.4.7, update to version 1.4.7 or later. As a temporary workaround, consider disabling the processing of HTML e-mail messages with SVG elements until a patch is available.