Description

Cross-site scripting (XSS) vulnerability in program/js/app.js in Roundcube webmail before 1.0.7 and 1.1.x before 1.1.3 allows remote authenticated users to inject arbitrary web script or HTML via the file name in a drag-n-drop file upload.

Remediation

References

CVE-2015-8105

Related Vulnerabilities

WordPress Plugin Fancy Gallery 'image-upload.php' Arbitrary File Upload (1.2.4)

Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-7531)

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-2206)

WordPress Plugin WP Post Popup Directory Traversal (2.0)

Craft CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability (CVE-2020-9757)

Severity

Low

Classification

CVE-2015-8105

Tags

Missing Update Known Vulnerabilities