Description

steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.

Remediation

References

CVE-2018-19206

Related Vulnerabilities

Lighttpd Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2014-2323)

WordPress Plugin WP-Filebase Download Manager Cross-Site Scripting (3.4.4)

MediaWiki Other Vulnerability (CVE-2004-2186)

MySQL CVE-2022-21297 Vulnerability (CVE-2022-21297)

Squid Insufficient Verification of Data Authenticity Vulnerability (CVE-2016-4554)

Severity

Medium

Classification

CVE-2018-19206 CWE-707 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Missing Update Known Vulnerabilities