PT-2020-5797 · Roundcube+4 · Roundcube Webmail+4

Published

2020-11-23

·

Updated

2025-12-17

·

CVE-2020-35730

CVSS v3.1

6.1

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions: Roundcube Webmail versions 1.2.0 through 1.2.12 Roundcube Webmail versions 1.3.x through 1.3.15 Roundcube Webmail versions 1.4.x through 1.4.9
Description: An issue was discovered in Roundcube Webmail, where the linkref addindex function in rcube string replacer.php mishandles JavaScript in a link reference element. This allows an attacker to send a plain text e-mail message that can inject JavaScript, potentially affecting data integrity. The vulnerability has been exploited in real-world attacks, including spearphishing campaigns.
Recommendations: For Roundcube Webmail versions 1.2.0 through 1.2.12, update to version 1.2.13 or later. For Roundcube Webmail versions 1.3.x through 1.3.15, update to version 1.3.16 or later. For Roundcube Webmail versions 1.4.x through 1.4.9, update to version 1.4.10 or later. As a temporary workaround, consider disabling the linkref addindex function in rcube string replacer.php until a patch is available.

Exploit

Fix

XSS

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2020-3561
ALT-PU-2020-3566
BDU:2021-01759
BIT-ROUNDCUBE-2020-35730
CVE-2020-35730
DLA-2508-1
DSA-4821-1
MGASA-2020-0481
OPENSUSE-SU-2021:0931-1
OPENSUSE-SU-2021:0942-1
OPENSUSE-SU-2021:0943-1
OPENSUSE-SU-2021:0959-1
OPENSUSE-SU-2021:0974-1
OPENSUSE-SU-2021:1014-1
OPENSUSE-SU-2021_0931-1
OPENSUSE-SU-2022:10148-1
OPENSUSE-SU-2024:11303-1
USN-5182-1

Affected Products

Alt Linux
Linuxmint
Roundcube Webmail
Suse
Ubuntu