CVE-2015-8105

2015-11-1017:59:13

CWE-79

mitre

web.nvd.nist.gov

cve-2015-8105

cross-site scripting

xss vulnerability

roundcube webmail

remote authenticated users

web script injection

html injection

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

AI Score

6.3

Confidence

High

EPSS

0.002

Percentile

52.0%

JSON

Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload.

Affected configurations

Nvd

Node

opensuseopensuseMatch13.1

opensuseopensuseMatch13.2

Node

roundcubewebmailRange≤1.0.6

roundcubewebmailMatch1.1.0

roundcubewebmailMatch1.1.1

roundcubewebmailMatch1.1.2

VendorProductVersionCPE
opensuseopensuse13.1cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
opensuseopensuse13.2cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
roundcubewebmail*cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
roundcubewebmail1.1.0cpe:2.3:a:roundcube:webmail:1.1.0:*:*:*:*:*:*:*
roundcubewebmail1.1.1cpe:2.3:a:roundcube:webmail:1.1.1:*:*:*:*:*:*:*
roundcubewebmail1.1.2cpe:2.3:a:roundcube:webmail:1.1.2:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
opensuse	opensuse	13.1	cpe:2.3:o:opensuse:opensuse:13.1:::::::*
opensuse	opensuse	13.2	cpe:2.3:o:opensuse:opensuse:13.2:::::::*
roundcube	webmail	*	cpe:2.3:a:roundcube:webmail::::::::
roundcube	webmail	1.1.0	cpe:2.3:a:roundcube:webmail:1.1.0:::::::*
roundcube	webmail	1.1.1	cpe:2.3:a:roundcube:webmail:1.1.1:::::::*
roundcube	webmail	1.1.2	cpe:2.3:a:roundcube:webmail:1.1.2:::::::*