Fedora 31 : roundcubemail (2020-2a1a6a8432)

critical Nessus Plugin ID 137678

Language:

Synopsis

The remote Fedora host is missing a security update.

Description

**RELEASE 1.4.6**

- Installer: Fix regression in SMTP test section (#7417)

----

**RELEASE 1.4.5**

- Fix bug in extracting required plugins from composer.json that led to spurious error in log (#7364)

- Fix so the database setup description is compatible with MySQL 8 (#7340)

- Markasjunk: Fix regression in jsevent driver (#7361)

- Fix missing flag indication on collapsed thread in Larry and Elastic (#7366)

- Fix default keyservers (use keys.openpgp.org), add note about CORS (#7373, #7367)

- Password: Fix issue with Modoboa driver (#7372)

- Mailvelope: Use sender's address to find pubkeys to check signatures (#7348)

- Mailvelope: Fix Encrypt button hidden in Elastic (#7353)

- Fix PHP warning: count(): Parameter must be an array or an object... in ID command handler (#7392)

- Fix error when user-configured skin does not exist anymore (#7271)

- Elastic: Fix aspect ratio of a contact photo in mail preview (#7339)

- Fix bug where PDF attachments marked as inline could have not been attached on mail forward (#7382)

- **Security**: Fix a couple of XSS issues in Installer (#7406)

- **Security**: Fix XSS issue in template object 'username' (#7406)

- **Security**: Better fix for CVE-2020-12641

- **Security**: Fix cross-site scripting (XSS) via malicious XML attachment

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected roundcubemail package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2020-2a1a6a8432

Plugin Details

Severity: Critical

ID: 137678

File Name: fedora_2020-2a1a6a8432.nasl

Version: 1.6

Type: local

Agent: unix

Published: 6/22/2020

Updated: 6/27/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-12641

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:fedoraproject:fedora:31, p-cpe:/a:fedoraproject:fedora:roundcubemail

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/19/2020

Vulnerability Publication Date: 5/4/2020

CISA Known Exploited Vulnerability Due Dates: 7/13/2023, 7/17/2024

Reference Information

CVE: CVE-2020-12641, CVE-2020-13964, CVE-2020-13965