Bug 1187707 (CVE-2020-18670)

Summary:	VUL-0: CVE-2020-18670: roundcubemail: Cross Site Scripting (XSS) vulneraibility via database host and user in /installer/test.php
Product:	[openSUSE] openSUSE Distribution	Reporter:	Alexander Bergmann <abergmann>
Component:	Security	Assignee:	Aeneas Jaißle <aj>
Status:	NEW ---	QA Contact:	Security Team bot <security-team>
Severity:	Minor
Priority:	P3 - Medium	CC:	lars.vogdt
Version:	Leap 15.2
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/302926/
Whiteboard:
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Alexander Bergmann 2021-06-25 07:43:20 UTC

CVE-2020-18670

Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database
host and user in /installer/test.php.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-18670
https://github.com/roundcube/roundcubemail/issues/7406
https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12
https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#Store-Xss-in-installer-test-php

Comment 1 OBSbugzilla Bot 2021-06-25 17:30:14 UTC

This is an autogenerated message for OBS integration:
This bug (1187707) was mentioned in
https://build.opensuse.org/request/show/902408 Backports:SLE-15-SP1 / roundcubemail
https://build.opensuse.org/request/show/902409 Backports:SLE-15-SP2 / roundcubemail
https://build.opensuse.org/request/show/902411 15.2 / roundcubemail

Comment 2 Swamp Workflow Management 2021-06-27 10:15:47 UTC

openSUSE-SU-2021:0931-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1180399,1187706,1187707
CVE References: CVE-2020-18670,CVE-2020-18671,CVE-2020-35730
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    roundcubemail-1.3.16-lp152.4.6.1

Comment 3 Swamp Workflow Management 2021-06-30 13:44:38 UTC

openSUSE-SU-2021:0942-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1180399,1187706,1187707
CVE References: CVE-2020-18670,CVE-2020-18671,CVE-2020-35730
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    roundcubemail-1.3.16-bp152.4.6.1

Comment 4 Swamp Workflow Management 2021-06-30 14:17:16 UTC

openSUSE-SU-2021:0943-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1180399,1187706,1187707
CVE References: CVE-2020-18670,CVE-2020-18671,CVE-2020-35730
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP1 (src):    roundcubemail-1.3.16-bp151.4.6.1

Comment 5 Swamp Workflow Management 2021-07-02 22:25:24 UTC

openSUSE-SU-2021:0959-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1180399,1187706,1187707
CVE References: CVE-2020-18670,CVE-2020-18671,CVE-2020-35730
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    roundcubemail-1.3.16-bp152.4.10.1

Comment 6 Swamp Workflow Management 2021-07-06 07:15:55 UTC

openSUSE-SU-2021:0974-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1180399,1187706,1187707
CVE References: CVE-2020-18670,CVE-2020-18671,CVE-2020-35730
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    roundcubemail-1.3.16-bp152.4.14.1

Comment 7 Swamp Workflow Management 2021-07-09 15:48:47 UTC

openSUSE-SU-2021:1014-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1180399,1187706,1187707
CVE References: CVE-2020-18670,CVE-2020-18671,CVE-2020-35730
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    roundcubemail-1.3.16-bp152.4.18.1