{"id":"USN-8132-1","summary":"roundcube vulnerabilities","details":"It was discovered that Roundcube Webmail did not properly sanitize \ncertain HTML elements within the e-mail body. An attacker could possibly \nuse this issue to cause a cross-site scripting attack. This issue was only \naddressed in Ubuntu 16.04 LTS. (CVE-2016-4068, CVE-2016-4069)\n\nIt was discovered that Roundcube Webmail did not properly handle certain \nconfiguration parameters. An attacker could possibly use this issue to \nexecute arbitrary code. This issue was only addressed in Ubuntu 16.04 LTS. \n(CVE-2016-9920)\n\nIt was discovered that Roundcube Webmail did not properly sanitize CSS styles \nwithin SVG documents. An attacker could possibly use this issue to cause \na cross-site scripting attack. This issue was only addressed in Ubuntu 16.04 LTS.\n(CVE-2017-6820)\n\nIt was discovered that Roundcube Webmail did not properly restrict exec call in \ncertain drivers of the password plugin. An authenticated user could possibly \nuse this issue to perform arbitrary password resets. This issue was only addressed in \nUbuntu 16.04 LTS. (CVE-2017-8114)\n\nIt was discovered that Roundcube Webmail did not properly set file permissions within \nthe Enigma plugin. An attacker could possibly use this issue to exfiltrate GPG private \nkeys via network connectivity. (CVE-2018-1000071)\n\nIt was discovered that Roundcube Webmail did not properly handle GnuPG MDC \nintegrity-protection warnings. An attacker could possibly use this issue to obtain \nsensitive information from encrypted communications. (CVE-2018-19205)\n\nIt was discovered that Roundcube Webmail did not properly sanitize \u003csvg\u003e and \u003cstyle\u003e\ntags within HTML attachments. An attacker could possibly use this issue to cause a \ncross-site scripting attack. (CVE-2018-19206)\n\nIt was discovered that Roundcube Webmail did not properly handle partially encrypted\nmultipart messages. An attacker could possibly use this issue to cause \nleaking of the plaintext of encrypted messages via an email reply. (CVE-2019-10740)\n\nIt was discovered that Roundcube Webmail did not properly sanitize a certain parameter \nwithin the archive plugin. An attacker could possibly use this issue to perform an \nIMAP injection attack. This issue was only addressed in Ubuntu 16.04 LTS. (CVE-2018-9846)","modified":"2026-03-31T18:16:28.760533Z","published":"2026-03-30T21:08:01Z","related":["UBUNTU-CVE-2016-4068","UBUNTU-CVE-2016-4069","UBUNTU-CVE-2016-9920","UBUNTU-CVE-2017-6820","UBUNTU-CVE-2017-8114","UBUNTU-CVE-2018-1000071","UBUNTU-CVE-2018-19205","UBUNTU-CVE-2018-19206","UBUNTU-CVE-2018-9846","UBUNTU-CVE-2019-10740"],"upstream":["CVE-2016-4068","CVE-2016-4069","CVE-2016-9920","CVE-2017-6820","CVE-2017-8114","CVE-2018-1000071","CVE-2018-19205","CVE-2018-19206","CVE-2018-9846","CVE-2019-10740","UBUNTU-CVE-2016-4068","UBUNTU-CVE-2016-4069","UBUNTU-CVE-2016-9920","UBUNTU-CVE-2017-6820","UBUNTU-CVE-2017-8114","UBUNTU-CVE-2018-1000071","UBUNTU-CVE-2018-19205","UBUNTU-CVE-2018-19206","UBUNTU-CVE-2018-9846","UBUNTU-CVE-2019-10740"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8132-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-4068"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-4069"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2016-9920"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-6820"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-8114"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-9846"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-19205"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-19206"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-1000071"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-10740"}],"affected":[{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/roundcube@1.2~beta+dfsg.1-0ubuntu1+esm7?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2~beta+dfsg.1-0ubuntu1+esm7"}]}],"versions":["1.1.1+dfsg.1-2","1.1.2+dfsg.1-5","1.1.3+dfsg.1-1","1.1.4+dfsg.1-1","1.2~beta+dfsg.1-0ubuntu1","1.2~beta+dfsg.1-0ubuntu1+esm1","1.2~beta+dfsg.1-0ubuntu1+esm2","1.2~beta+dfsg.1-0ubuntu1+esm3","1.2~beta+dfsg.1-0ubuntu1+esm4","1.2~beta+dfsg.1-0ubuntu1+esm5","1.2~beta+dfsg.1-0ubuntu1+esm6"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_name":"roundcube","binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm7"},{"binary_name":"roundcube-core","binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm7"},{"binary_name":"roundcube-mysql","binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm7"},{"binary_name":"roundcube-pgsql","binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm7"},{"binary_name":"roundcube-plugins","binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm7"},{"binary_name":"roundcube-sqlite3","binary_version":"1.2~beta+dfsg.1-0ubuntu1+esm7"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8132-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:16.04:LTS","cves":[{"id":"CVE-2016-4068","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-4069","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2016-9920","severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2017-6820","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2017-8114","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2018-9846","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2018-19205","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2018-19206","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2018-1000071","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2019-10740","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]}}},{"package":{"name":"roundcube","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/roundcube@1.3.6+dfsg.1-1ubuntu0.1~esm7?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.6+dfsg.1-1ubuntu0.1~esm7"}]}],"versions":["1.3.0+dfsg.1-1","1.3.1+dfsg.1-1","1.3.3+dfsg.1-1","1.3.3+dfsg.1-2","1.3.6+dfsg.1-1","1.3.6+dfsg.1-1ubuntu0.1~esm1","1.3.6+dfsg.1-1ubuntu0.1~esm2","1.3.6+dfsg.1-1ubuntu0.1~esm3","1.3.6+dfsg.1-1ubuntu0.1~esm4","1.3.6+dfsg.1-1ubuntu0.1~esm5","1.3.6+dfsg.1-1ubuntu0.1~esm6"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_name":"roundcube","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm7"},{"binary_name":"roundcube-core","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm7"},{"binary_name":"roundcube-mysql","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm7"},{"binary_name":"roundcube-pgsql","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm7"},{"binary_name":"roundcube-plugins","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm7"},{"binary_name":"roundcube-sqlite3","binary_version":"1.3.6+dfsg.1-1ubuntu0.1~esm7"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8132-1.json","cves_map":{"ecosystem":"Ubuntu:Pro:18.04:LTS","cves":[{"id":"CVE-2018-19205","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2018-19206","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2018-1000071","severity":[{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2019-10740","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]}}}],"schema_version":"1.7.5"}