Cyber Resilience

CVE-2020-13965

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 09 June 2020

Published
09 June 2020
Modified
04 November 2025
KEV Added
26 June 2024
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.7182 98.8th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-13965 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Roundcube Webmail. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

The vulnerability is a cross-site scripting flaw (CWE-79, CWE-80) in Roundcube Webmail versions prior to 1.3.12 and 1.4.x prior to 1.4.5. It occurs because the application permits text/xml as one of the allowed MIME types for attachment preview, allowing a malicious XML file to execute script in the context of the user's session.

An unauthenticated remote attacker can exploit the issue by sending a crafted email containing a malicious XML attachment to a target user. When the recipient opens the message and triggers the preview function, the embedded script runs with the privileges of the Roundcube session, enabling actions such as cookie theft or UI manipulation within the changed security context reflected by the CVSS score of 6.1.

The referenced Roundcube commits and release tags for versions 1.3.12 and 1.4.5 contain the corrective changes that restrict XML preview handling to prevent script execution. Administrators should upgrade to one of these versions or later to eliminate the exposure.

EU & UK References

Vulnerability details

An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.

CWE(s)
KEV Date Added
26 June 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

roundcube
webmail
≤ 1.3.12 · 1.4.0 — 1.4.5
debian
debian linux
10.0, 9.0
fedoraproject
fedora
31, 32

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted attachment content (XML) before any preview rendering occurs, blocking the malicious script injection path.

prevent

Requires filtering of information prior to output/presentation, preventing script contained in the XML attachment from executing in the user's browser context.

preventdetect

Provides malicious-code detection and blocking mechanisms that can be configured to inspect email attachments and stop or alert on script-bearing XML files before preview.

References