CVE-2020-13965: Cross-Site Scripting via Malicious XML Attachment in Roundcube Webmail

A Cross-Site scripting (XSS) vulnerability exists in Roundcube versions before 1.4.5 and 1.3.12.

By leveraging the parsing of "text/xml" attachment, an attacker can bypass the Roundcube script filter and execute arbitrary malicious JavaScript in the victim's browser when the malicious attachment is clicked/previewed.

Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found here.

Requirements:

This vulnerability requires:

Waiting for a Roundcube user to open the attachment containg the XSS

Proof Of Concept:

More details and the exploitation process can be found in this PDF.

Name		Name	Last commit message	Last commit date
Latest commit History 4 Commits
README.md		README.md
Roundcube Disclosures - CVE-2020-13965.pdf		Roundcube Disclosures - CVE-2020-13965.pdf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

README.md

Roundcube Disclosures - CVE-2020-13965.pdf

Roundcube Disclosures - CVE-2020-13965.pdf

Repository files navigation

CVE-2020-13965: Cross-Site Scripting via Malicious XML Attachment in Roundcube Webmail

Vendor Disclosure:

Requirements:

Proof Of Concept:

About

mbadanoiu/CVE-2020-13965

Folders and files

Latest commit

History

README.md

README.md

Roundcube Disclosures - CVE-2020-13965.pdf

Roundcube Disclosures - CVE-2020-13965.pdf

Repository files navigation

CVE-2020-13965: Cross-Site Scripting via Malicious XML Attachment in Roundcube Webmail

Vendor Disclosure:

Requirements:

Proof Of Concept:

About

Topics

Resources

Stars

Watchers

Forks