{"id":"CVE-2020-15562","details":"An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x before 1.3.14, and 1.4.x before 1.4.7. It allows XSS via a crafted HTML e-mail message, as demonstrated by a JavaScript payload in the xmlns (aka XML namespace) attribute of a HEAD element when an SVG element exists.","aliases":["BIT-roundcube-2020-15562"],"modified":"2026-04-02T04:09:54.426799Z","published":"2020-07-06T12:15:10.720Z","related":["openSUSE-SU-2020:1516-1"],"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html"},{"type":"ADVISORY","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.3.14"},{"type":"ADVISORY","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.4.7"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4720"},{"type":"ADVISORY","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.2.11"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/3e8832d029b035e3fcfb4c75839567a9580b4f82"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/roundcube/roundcubemail","events":[{"introduced":"0"},{"fixed":"ce6ebd9c38bcae4a1fa9829aa20c30d9c96b2d77"},{"introduced":"854aa7f35f6ed963033e2c0c4735852af7eca21b"},{"fixed":"abddddb12c0f962ce111b02ff5ad0ab33657088b"},{"introduced":"fdbdaec9989998b2a378619273f9fb60e6ad6879"},{"fixed":"cdbefb54e2bebbc61e5fb081c7d1038d884743cf"},{"fixed":"3e8832d029b035e3fcfb4c75839567a9580b4f82"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.2.11"},{"introduced":"1.3.0"},{"fixed":"1.3.14"},{"introduced":"1.4.0"},{"fixed":"1.4.7"}]}}],"versions":["0.7.4","0.8.6","0.9-rc2","1.0.0","1.0.1","1.0.10","1.0.11","1.0.12","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.1-beta","1.1-rc","1.1.0","1.1.1","1.1.10","1.1.11","1.1.12","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.1.7","1.1.8","1.1.9","1.2-beta","1.2-rc","1.2.0","1.2.1","1.2.10","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.2.9","1.3-beta","1.3-rc","1.3.0","1.3.1","1.3.10","1.3.11","1.3.12","1.3.13","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.3.9","1.4-beta","1.4-rc1","1.4-rc2","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.5-beta","1.5-rc","1.5.0","1.5.1","1.5.10","1.5.11","1.5.12","1.5.13","1.5.14","1.5.15","1.5.2","1.5.3","1.5.4","1.5.5","1.5.6","1.5.7","1.5.8","1.5.9","1.6-beta","1.6-rc","1.6.0","1.6.1","1.6.10","1.6.11","1.6.12","1.6.13","1.6.14","1.6.15","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","1.7-beta","1.7-beta2","1.7-rc","1.7-rc2","1.7-rc3","1.7-rc4","1.7-rc5","1.7-rc6","v0.1-beta2","v0.1-rc1","v0.1-rc1@582","v0.1-rc2","v0.1-rc2@900","v0.1-stable","v0.1-stable@1183","v0.1.1","v0.1.1@1258","v0.2-alpha","v0.2-alpha@1499","v0.2-beta","v0.2-beta@1877","v0.2-beta@1878","v0.2-stable","v0.2-stable@2204","v0.2.1","v0.2.1@2348","v0.2.2","v0.2.2@2481","v0.2.2@2495","v0.3-beta","v0.3-beta@2799","v0.3-rc1","v0.3-stable","v0.3-stable@2921","v0.3.1","v0.3.1@3081","v0.4-beta","v0.4-beta@3548","v0.4.1","v0.4.1@4045","v0.4.2","v0.4.2@4050","v0.5","v0.5-beta","v0.5-beta@4347","v0.5-rc","v0.5-rc@4349","v0.5.1","v0.5.1@4518","v0.5.2","v0.5.2@4679","v0.5.3","v0.5.3@4832","v0.5.4","v0.5.4@5062","v0.5.4@5065","v0.5@4408","v0.6","v0.6-beta","v0.6-rc","v0.7","v0.7-beta1","v0.7-beta2","v0.7.1","v0.7.2","v0.7.3","v0.7.4","v0.8-beta","v0.8-rc","v0.8.0","v0.8.1","v0.8.2","v0.8.3","v0.8.4","v0.8.5","v0.8.6","v0.8.7","v0.9-beta","v0.9-rc","v0.9-rc2","v0.9.0","v0.9.1","v0.9.2","v0.9.3","v0.9.4","v0.9.5","v1.0-beta","v1.0-rc"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15562.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}