Description
Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload.
Remediation
References
Related Vulnerabilities
WordPress Plugin YITH WooCommerce Gift Cards Premium Arbitrary File Upload (3.19.0)
MySQL Deserialization of Untrusted Data Vulnerability (CVE-2019-14540)
OpenSSL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-2178)
Jenkins Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2020-2160)
MediaWiki Improper Authentication Vulnerability (CVE-2021-36128)