Detections
Analytics
Debian DSA-4700-1 : roundcube - security update
medium Nessus Plugin ID 137373
Language:
Synopsis
The remote Debian host is missing a security-related update.Description
Matei Badanoiu and LoRexxar@knownsec discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. This would allow a remote attacker to perform a Cross-Side Scripting (XSS) attack leading to the execution of arbitrary code.Solution
Upgrade the roundcube packages.For the oldstable distribution (stretch), these problems have been fixed in version 1.2.3+dfsg.1-4+deb9u5.
For the stable distribution (buster), these problems have been fixed in version 1.3.13+dfsg.1-1~deb10u1.
See Also
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962123
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962124
https://security-tracker.debian.org/tracker/source-package/roundcube
https://packages.debian.org/source/stretch/roundcube
Plugin Details
Severity: Medium
ID: 137373
File Name: debian_DSA-4700.nasl
Version: 1.3
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 6/12/2020
Updated: 3/7/2024
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.8
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.4
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS Score Source: CVE-2020-13965
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Temporal Score: 5.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:roundcube, cpe:/o:debian:debian_linux:10.0, cpe:/o:debian:debian_linux:9.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 6/11/2020
Vulnerability Publication Date: 6/9/2020
Reference Information
CVE: CVE-2020-13964, CVE-2020-13965
DSA: 4700