{"id":"CVE-2020-18670","details":"Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.","aliases":["BIT-roundcube-2020-18670"],"modified":"2026-04-10T04:24:00.067792Z","published":"2021-06-24T19:15:08.233Z","related":["openSUSE-SU-2021:0931-1","openSUSE-SU-2021:0942-1","openSUSE-SU-2021:0943-1","openSUSE-SU-2021:0959-1","openSUSE-SU-2021:0974-1","openSUSE-SU-2021:1014-1"],"references":[{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/issues/7406"},{"type":"FIX","url":"https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12"},{"type":"EVIDENCE","url":"https://lorexxar.cn/2020/06/10/roundcube-mail-xss/#Store-Xss-in-installer-test-php"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/roundcube/roundcubemail","events":[{"introduced":"0"},{"last_affected":"aadb13e25f73d783f731a99f9b9c2ea43bb10c79"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.4.4"}]}}],"versions":["1.1-beta","1.1-rc","1.1.0","1.2-beta","1.2-rc","1.3-beta","1.4-beta","1.4-rc1","1.4-rc2","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","v0.1-beta2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-18670.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}