Skip to main content

Webmail CVE-2020-12626

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2020-05-04 cve@mitre.org
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
May 04, 2020 - 02:15 nvd
MEDIUM 6.5

DescriptionNVD

An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered.

AnalysisAI

An issue was discovered in Roundcube Webmail before 1.4.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. An issue was discovered in Roundcube Webmail before 1.4.4. A CSRF attack can cause an authenticated user to be logged out because POST was not considered. Affected products include: Roundcube Webmail, Debian Debian Linux. Version information: before 1.4.4..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2016-9920 HIGH POC
7.5 Dec 08

steps/mail/sendmail.inc in Roundcube before 1.1.7 and 1.2.x before 1.2.3, when no SMTP server is configured and the send

CVE-2020-12641 CRITICAL POC
9.8 May 04

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in

CVE-2020-12640 CRITICAL POC
9.8 May 04

Roundcube Webmail before 1.4.4 allows attackers to include local files and execute code via directory traversal in a plu

CVE-2015-2180 HIGH POC
8.8 Jan 30

The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands

CVE-2024-42009 CRITICAL POC
9.3 Aug 05

A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to stea

CVE-2015-2181 HIGH POC
8.8 Jan 30

Multiple buffer overflows in the DBMail driver in the Password plugin in Roundcube before 1.1.0 allow remote attackers t

CVE-2017-8114 HIGH POC
8.8 Apr 29

Roundcube Webmail allows arbitrary password resets by authenticated users. Rated high severity (CVSS 8.8), this vulnerab

CVE-2018-1000071 HIGH POC
7.5 Mar 13

roundcube version 1.3.4 and earlier contains an Insecure Permissions vulnerability in enigma plugin that can result in e

CVE-2016-4552 MEDIUM POC
6.1 Dec 20

Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.2.0 allows remote attackers to inject arbitrary w

CVE-2015-8793 MEDIUM POC
6.1 Jan 29

Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2

CVE-2024-37383 MEDIUM POC
6.1 Jun 07

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes. Rated medium severity (CVSS

Share

CVE-2020-12626 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy