{"id":"CVE-2020-13964","details":"An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. include/rcmail_output_html.php allows XSS via the username template object.","aliases":["BIT-roundcube-2020-13964"],"modified":"2026-05-16T03:55:40.824472753Z","published":"2020-06-09T03:15:11.187Z","database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"9.0"},{"last_affected":"10.0"}],"vendor_product":"debian:debian_linux"},{"source":"CPE_FIELD","cpes":["cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"31"},{"last_affected":"32"}],"vendor_product":"fedoraproject:fedora"}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLESQ4LPJGMSWHQ4TBRTVQRDG7IXAZCW/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ODPJXBHZ32QSP4MYT2OBCALYXSUJ47SK/"},{"type":"ADVISORY","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.3.12"},{"type":"ADVISORY","url":"https://github.com/roundcube/roundcubemail/releases/tag/1.4.5"},{"type":"ADVISORY","url":"https://roundcube.net/news/2020/06/02/security-updates-1.4.5-and-1.3.12"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4700"},{"type":"FIX","url":"https://github.com/roundcube/roundcubemail/commit/37e2bc745723ef6322f0f785aefd0b9313a40f19"}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}