Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mbadanoiu/cve-2020-13965

CVE-2020-13965: Cross-Site Scripting via Malicious XML Attachment in Roundcube Webmail
https://github.com/mbadanoiu/cve-2020-13965

0-day cross-site-scripting cve cve-2020-13965 cves unauthenticated

Last synced: 2 days ago
JSON representation

CVE-2020-13965: Cross-Site Scripting via Malicious XML Attachment in Roundcube Webmail

Host: GitHub
URL: https://github.com/mbadanoiu/cve-2020-13965
Owner: mbadanoiu
Created: 2024-04-13T15:49:04.000Z (7 months ago)
Default Branch: main
Last Pushed: 2024-04-13T15:54:48.000Z (7 months ago)
Last Synced: 2024-04-14T07:00:02.526Z (7 months ago)
Topics: 0-day, cross-site-scripting, cve, cve-2020-13965, cves, unauthenticated
Homepage:
Size: 407 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# CVE-2020-13965: Cross-Site Scripting via Malicious XML Attachment in Roundcube Webmail

A Cross-Site scripting (XSS) vulnerability exists in Roundcube versions before 1.4.5 and 1.3.12.

By leveraging the parsing of "text/xml" attachment, an attacker can bypass the Roundcube script filter and execute arbitrary malicious JavaScript in the victim's browser when the malicious attachment is clicked/previewed.

### Vendor Disclosure:

The vendor's disclosure and fix for this vulnerability can be found [here](https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12).

### Requirements:

This vulnerability requires:

- Waiting for a Roundcube user to open the attachment containg the XSS

### Proof Of Concept:

More details and the exploitation process can be found in this [PDF](https://github.com/mbadanoiu/CVE-2020-13965/blob/main/Roundcube%20Disclosures%20-%20CVE-2020-13965.pdf).