{"url":"http://public2.vulnerablecode.io/api/packages/102288?format=json","purl":"pkg:deb/debian/roundcube@1.1.2%2Bdfsg.1-1?distro=trixie","type":"deb","namespace":"debian","name":"roundcube","version":"1.1.2+dfsg.1-1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.1.3+dfsg.1-1","latest_non_vulnerable_version":"1.6.16+dfsg-1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/203984?format=json","vulnerability_id":"VCID-ftjx-fm66-kfh4","summary":"program/steps/addressbook/photo.inc in Roundcube Webmail before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via the _alt parameter when uploading a vCard.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5382","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5382"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791643","reference_id":"791643","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791643"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/102288?format=json","purl":"pkg:deb/debian/roundcube@1.1.2%2Bdfsg.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.1.2%252Bdfsg.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102269?format=json","purl":"pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u4?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-f6bd-3n2d-2fd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.4.15%252Bdfsg.1-1%252Bdeb11u4%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102267?format=json","purl":"pkg:deb/debian/roundcube@1.6.5%2Bdfsg-1%2Bdeb12u8?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.5%252Bdfsg-1%252Bdeb12u8%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102271?format=json","purl":"pkg:deb/debian/roundcube@1.6.15%2Bdfsg-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.15%252Bdfsg-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102270?format=json","purl":"pkg:deb/debian/roundcube@1.6.16%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.16%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2015-5382"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ftjx-fm66-kfh4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/204174?format=json","vulnerability_id":"VCID-qfbx-pq86-zufn","summary":"Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter in a mail task to the default URL, a different vulnerability than CVE-2011-2937.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8793","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8793"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/102288?format=json","purl":"pkg:deb/debian/roundcube@1.1.2%2Bdfsg.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.1.2%252Bdfsg.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102269?format=json","purl":"pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u4?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-f6bd-3n2d-2fd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.4.15%252Bdfsg.1-1%252Bdeb11u4%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102267?format=json","purl":"pkg:deb/debian/roundcube@1.6.5%2Bdfsg-1%2Bdeb12u8?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.5%252Bdfsg-1%252Bdeb12u8%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102271?format=json","purl":"pkg:deb/debian/roundcube@1.6.15%2Bdfsg-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.15%252Bdfsg-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102270?format=json","purl":"pkg:deb/debian/roundcube@1.6.16%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.16%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2015-8793"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qfbx-pq86-zufn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/204175?format=json","vulnerability_id":"VCID-w8c6-neka-1fgw","summary":"Absolute path traversal vulnerability in program/steps/addressbook/photo.inc in Roundcube before 1.0.6 and 1.1.x before 1.1.2 allows remote authenticated users to read arbitrary files via a full pathname in the _alt parameter, related to contact photo handling.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8794"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/102288?format=json","purl":"pkg:deb/debian/roundcube@1.1.2%2Bdfsg.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.1.2%252Bdfsg.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102269?format=json","purl":"pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u4?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-f6bd-3n2d-2fd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.4.15%252Bdfsg.1-1%252Bdeb11u4%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102267?format=json","purl":"pkg:deb/debian/roundcube@1.6.5%2Bdfsg-1%2Bdeb12u8?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.5%252Bdfsg-1%252Bdeb12u8%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102271?format=json","purl":"pkg:deb/debian/roundcube@1.6.15%2Bdfsg-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.15%252Bdfsg-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102270?format=json","purl":"pkg:deb/debian/roundcube@1.6.16%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.16%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2015-8794"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w8c6-neka-1fgw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/203983?format=json","vulnerability_id":"VCID-zm6z-xana-6fa8","summary":"Cross-site scripting (XSS) vulnerability in program/include/rcmail.php in Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the _mbox parameter to the default URI.","references":[{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5381","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5381"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791643","reference_id":"791643","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=791643"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/102288?format=json","purl":"pkg:deb/debian/roundcube@1.1.2%2Bdfsg.1-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.1.2%252Bdfsg.1-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102269?format=json","purl":"pkg:deb/debian/roundcube@1.4.15%2Bdfsg.1-1%2Bdeb11u4?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-f6bd-3n2d-2fd3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.4.15%252Bdfsg.1-1%252Bdeb11u4%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102267?format=json","purl":"pkg:deb/debian/roundcube@1.6.5%2Bdfsg-1%2Bdeb12u8?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.5%252Bdfsg-1%252Bdeb12u8%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102271?format=json","purl":"pkg:deb/debian/roundcube@1.6.15%2Bdfsg-0%2Bdeb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.15%252Bdfsg-0%252Bdeb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/102270?format=json","purl":"pkg:deb/debian/roundcube@1.6.16%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.6.16%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2015-5381"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zm6z-xana-6fa8"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/roundcube@1.1.2%252Bdfsg.1-1%3Fdistro=trixie"}