Upstream information

CVE-2017-6820 at MITRE

Description

rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is susceptible to a cross-site scripting vulnerability via a crafted Cascading Style Sheets (CSS) token sequence within an SVG element.

SUSE information

CVSS v2 Scores
  National Vulnerability Database
Base Score 4.30
Vector AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None
CVSS v3 Scores
  National Vulnerability Database
Base Score 6.1
Vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Access Vector Network
Access Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Impact Low
Integrity Impact Low
Availability Impact None
SUSE Bugzilla entry: 1029035 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Leap 42.1
  • roundcubemail >= 1.1.8-18.1
Patchnames:
openSUSE-2017-355
openSUSE Leap 42.2
  • roundcubemail >= 1.1.8-18.1
Patchnames:
openSUSE-2017-355